While electronic data security is high on an organisations agenda with GDPR, many fail to adequately address security of paper-based data. In reality, it would be a costly and detrimental mistake to assume that paper-based security risks have gone away.
Research from the ICO (during 2016) revealed that 40% of UK data security incidents were attributed to paper. These include:
- 19% Data posted/ faxed to wrong recipient
- 14% Loss/theft of paper work
- 4% Data left in insecure location
- 3% Insecure disposal of paperwork
Since then, 2017 has seen a further 20% increase in loss or theft of paperwork, thus heightening the importance of ensuring paper-based security protocols within all businesses.
Shredding paper-based documents can help companies to meet GDPR requirements by providing an effective way of disposing of data securely to prevent access by third parties. The GDPR is concerned with personal data handled by organisations in both electronic and physical formats, such as paper documents. If you fail to ensure proper procedures are taken to secure hardcopy documents, you pose a high risk to your businesses. This is because under the GDPR you are liable if a data breach leads to an individual’s information being stolen.
A key component of data security is proper paper disposal. Unshredded documents can be read by anyone, which can lead to sensitive information being breached. Shredding protects the reputation of your brand, your intellectual property and your sensitive commercial information.
You may still be at risk as many companies aren’t shredding to a high enough level to prevent a data breach or are exposed in other ways.
With the new GDPR legislation being implemented in 2018, shredding will have to play an even more important part in office life. Due to this, standard office shredders are not always sufficient to ensure that documents are destroyed completely, but luckily there are other methods which can help:
If you’re using an ordinary strip-cut shredder, you need to consider whether it’s shredding to a high enough standard. It should leave documents containing sensitive data unrecoverable once the shredding process has been completed. If not, you may need a cross-cut shredder, which shreds paper into finer pieces to mitigate the risk of shredded documents being reassembled.
Another common cause of non-compliance with document shredding is due to the task being time-consuming and difficult to manage, so often there is a delay between documents being earmarked for shredding and when they are actually shredded. Auto-Feed shredders remove one of the main frustrations of a traditional shredder – the need to spend time manually feeding documents into the shredder. In fact, employees could spend 98% less time shredding with Auto-Feed Shredders and if you have an office with three shredders, this could translate to a saving of £18,400 in employee productivity terms over the lifetime of the machines.
Secure Paper Destruction Service
Then again, if you struggle to find any time to destroy your personal documents we can also help by offering a secure paper destruction and recycling service, to ensure that shredding takes place to a high level that complies with GDPR requirements. This service allows you to deposit ALL paper waste into our locked consoles for shredding and recycling. This helps to not only reduce potential risks to businesses (by taking the decision away from staff) but also reduces environmental impact (by recycling 100% of paper waste).
ICO Warns Workers After Charity Employee is Prosecuted for Data Protection Offences
Individuals working with personal information must closely follow data protection and privacy laws after a charity worker was prosecuted for making copies of sensitive data.
In June 2016 and February 2017, the individual, who has since been prosecuted, sent spreadsheets containing the information of 183 vulnerable clients to his personal email address without the knowledge of the data controller.
The individual admitted to unlawfully obtaining personal data in breach of Section 55 of the Data Protection Act 1998. He was given a conditional discharge for two years and ordered to pay prosecution costs of £1,845.25, as well as a victim surcharge of £15.
Printing and Data security – what’s the worst that could happen?
Naturally, everyone’s thinking about hackers, stolen addresses, credit cards, etc. Few are thinking about print processes, even though they affect every business.
Furthermore, the steady march toward digitalization has resulted in a proliferation of devices. Some of these are owned by the business, and some belong to employees (think BYOD). As a result, more and more documents are generated on, or routed through, a maze of devices from PCs and laptops to tablets, smartphones, and more.
Employees, especially mobile users, utilize a variety of these devices to do their jobs and complete the necessary workflows. In the process, documents are printed on any number of output devices. Or at least, the users wish they could print on those printers and MFPs they encounter during their work day.
They ask themselves two questions: Can I really print anything from my smartphone or tablet? On any printer in the company? LRS can answer both of these questions with a resounding “Yes,” because our products are designed to do exactly that. But this isn’t the main topic of this Blog. There is another important question that is seldom asked.
Assuming all of these documents can be printed on any of these devices, how is data security handled? Especially since the GDPR data protection deadline of May 2018 is right around the corner?
Think about all the platforms and applications at work in your organization. Think about the data being processed and the departments that produce or use that data — from Finance to HR, Sales, Marketing, Customer Service, etc. Do you really want everyone in each of these departments to be able to access any document printed anywhere in the organization?
Now think honestly about what security measures you have in place to prevent this from happening.
Recently, HP published an interesting series of videos that show how easy print devices and print processes can be hacked. Today’s printers are less like electronic typewriters and more like full-blown computers that happen to print.
Luckily, there are technologies available to provide greater protection for print processes. These include end-to-end encryption of data streams from the application to the print device to make intercepted data useless to potential hackers. There are also pull printing solutions that prevent uncollected print jobs from accumulating at the device; documents do not start printing until the user is physically standing at the printer and authenticates his or her identity. LRS pull printing also maintains security in the event of printer jams. Documents can be retrieved at an alternate device, if the user authenticates using a PIN, access card, or similar method.
Even before the first byte of data is sent to the printer, you may want to think about encryption. How do you process your data today before it’s actually sent to the printer? Think, for example, about Windows Print Servers, which routinely process print data in preparation for printing. Is all of your valuable data encrypted during this entire process? LRS Output Management can receive data from any application, process it into the desired form, send it to any desired printer or electronic destination… all while protecting document contents through secure encryption.
Another topic is rights management and document-level authorization schemes that regulate access to documents. Not only the ability to print them, but also to open them and view them. This brings up the topic of document classification.
If the document ends up being printed, it is possible that the document contains confidential information. Wouldn’t it be good to indicate this on the document itself with a watermark, stamp, or some other mark? How can you automatically add such a mark to your sensitive documents?
And what about copies made of documents that are not supposed to be copied? Is it possible to prevent such unauthorized duplication? Yes, such technology exists in the form of pantographs that can be inserted into the original printed copy of a document. Although invisible in the original document, a pantograph appears as a black mark or a message (for example, “COPY” or “VOID” or “CONFIDENTIAL”) when photocopied.
Nevertheless, humans are the weakest link in the security chain. In any of these security scenarios, an employee may grab a document from the printer output tray, stop somewhere for a cup of coffee, and leave the sensitive document on the kitchen counter. Surely there’s nothing your organization can do about that!
However, the GDPR states that the producer of the data (in other words, your organization) is liable in the case that this negligence results in an injury. That is, unless the liability can be shifted to someone else.
But what if you were able to not only track and account for all print and output events, but also insert, say, a barcode in the margin of the page? A barcode containing information about who printed that document, when, where, and from which application? Now, suddenly, the question of liability looks different.
Remember at the beginning of this Blog, when I mentioned that employees don’t just want to print from their laptops, but also from tablets, smartphones, and more? Are all of these devices integrated into your print security processes? What about your serverless printing?
3M draws attention to physical privacy issues as part of GDPR compliance
3M is highlighting the need for physical safeguards against data privacy threats, including making sure that screens and printed documents are not easily viewable or accessible by unauthorised people.
Says Peter Barker, EMEA Market Development Manager, Display Materials and Systems Division at 3M, “There are a variety of ways in which data could be stolen that people may not have considered, yet could still impact GDPR compliance. For instance, an employee reviewing sensitive data on a smartphone in a public place and not noticing that someone nearby is observing the screen, or even snapping an image. In the office, screens can also be vulnerable to unauthorised viewing. Also, make sure that paper-based sensitive data is not inadvertently exposed, plus thoroughly erase data from obsolete computing equipment.”
Continues Peter Barker, “A breach of data could result from something as simple and fast as someone seeing private information on a screen. With more people having more devices, along with more open-plan and mobile working, those risks could increase. Making sure that there are strict strategies around document access, such as routine shredding, locked briefcases and cabinets, plus using privacy filters to protect screens from prying eyes, will help ensure better physical privacy, both in and outside the workplace.”
Privacy filters fit quickly and easily on to a variety of screens, including desktop monitors, laptops, tablets and smartphones. They ensure that on-screen information is only visible straight-on and at close range: otherwise, prying eyes merely see a blank screen. Privacy filters can also help to protect screens from scratches and unwanted glare.
Building security and privacy protection into a BYOD environment
Over the last five years, companies have had to face increasing costs of cyberattacks and data breaches. In 2015, the cost of cyber attacks globally was $480 million (approx. £361 million). In 2016, this figure rose to $3.1 billion and the dramatic trend is far from slowing – some forecasts even citing $2.1 trillion by 2019.
In response, companies are beginning to worry and governments are starting to focus on data protection and cybersecurity in new legislation.
Since 2015, there has been an exponential growth in cyberattacks. As seen with the phenomenon of ransomware, threats which were previously unheard of are now overwhelming enterprise organizations, as evidenced by the WannaCry attack this May which brought critical infrastructure around Europe to its knees.
“The most common pitfall in data protection is inherent to human nature – we do not think about a problem until it happens”
The major causes of this increased cyber attack activity can be attributed to the growing ease with which malicious bodies can access information, hacking tools and methods. The attack surface is also continuously expanding as we adopt increasingly more complex and heterogeneous systems and environments.
For most businesses, the most common pitfall in data protection is inherent to human nature – we do not think about a problem until it happens to us. This is frequently evident when looking at backups. Today almost everybody has a backup of their most important data, if not of the whole system. However, previously backup was not such a common practice: so many companies had to learn the hard way about the importance of backup.
Another misconception is thinking that if antivirus is installed on every computer, the company is secure. However, this is not even remotely enough protection. Yes, malware, including viruses, spyware and ransomware, is one of the most common threats, but, depending on the value and sensitivity of the data and systems, there are so many more threats to prepare for.
Data protection in the age of BYOD
Just think about Bring Your Own Device (BYOD) or trends in remote working. These are understandably attractive to companies and users, but the advantages in mobility and cost-savings are counter-balanced by a significant fragmentation of systems, which become incredibly hard to control.
Companies today need to evolve their business models in order to remain competitive and ready to meet market demands. Employees are constantly demanding mobility and remote working, as well as high levels of security and privacy. Companies that are able to effectively and safely embrace these trends can reap huge benefits, both in terms of productivity and cost-savings.
“Enforcing security policies is a critical step in the prevention of data leaks”
These organizations must adopt innovative approaches and tools to ensure cybersecurity and privacy, manage threats and achieve competitive advantage.
Data encryption, in all its forms, including encryption of the hard drive, emails and communications is a starting point. So too is the ability to connect through a VPN to the corporate network, allowing users to browse the web anonymously.
Furthermore, the adoption of open source software can give businesses the opportunity to check any single line of the source code against infiltrations typical of particular organizations or fraudulent developers.
Enforcing security policies is a critical step in the prevention of data leaks through unauthorized copies of sensitive information being released on external drives or personal devices. This type of incident happens all too frequently – take for example the memory stick containing sensitive Heathrow security data on the Queen’s itinerary which was found on the street in North London this October.
Separated environments is also an important practice for businesses looking to keep sensitive corporate data and applications completely isolated from the average user.
Finally, effective backup and recovery software should be in place to backup and encrypt the most sensitive and confidential information on regular basis.
Unfortunately, the adoption of these techniques is slow and costly, but not impossible.
This article is sponsored by:
Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious businesses – It Pays Off!