By Dr. Guy Bunker (@guybunker).
There have been a couple of stories in the past week causing a bit of a stir in the tech community. The first was the discovery of the ET game for Atari in a landfill site in New Mexico. It had the dubious honour of being thought of as the worst video game of all time, but somehow history puts on rose tinted glasses, so it has become a new sensation. The second story, along the same lines, was the discovery of lost artwork that Andy Warhol had made on an Amiga in 1985. So, really what’s the story from a corporate IT perspective?
The reality is that in both these cases, the information was old, but still had a huge amount of value – to someone. Critical information for business is the same, and as with the stories in the press, even old data can still be relevant to today.
One of the big data loss stories from yesteryear was the HMRC breach back in 2007. Information on 25 million individuals was lost when unencrypted discs went missing. There was a big hoo-ha at the time and it was one of the events which has driven legislation on data loss notification. At the time I wrote about the potential long term effects of the breach – and this is highlighted again this week with the new stories. What if, after all these years, those discs were to turn up and fall into the wrong hands of some cyber-criminals?
The information included names – well those don’t change very often. Addresses, they do change, but even after nearly seven years, a significant number of them will be the same. Bank account details – the chances are that most of these will still be the same. So, from a cyber-criminal perspective, there is still ‘gold’ in them there discs.
The moral of the story is that organizations need to have a process for data disposal, which doesn’t just talk to the new information, but also for old as well. When looking through dusty old filing cabinets, old floppy discs need to be properly destroyed – not just sent to landfill with the hope that they won’t be found again! Organizations, especially HR departments, are excellent at destroying old records – the shredders run hot on old paperwork, there is something to be learned from their due processes.
It is not just about floppy discs; there is a need to adequately destroy the information on CD ROMS, DVDs, old USB sticks and USB drives, as well as on old laptops and desktops. As part of an Information Governance or Critical Information Protection program, there is a step identifying where information is held – this is then where there needs to be process around it being destroyed. BYOD (Bring-Your-Own-Device) adds complexities to data disposal, but these complexities are not insurmountable, especially if there is planning at the start of the information lifecycle, rather than at the end.
The stories in the press are quite fun, but they show the need for better information tracking and management. Without this, organizations could also end up in the news – years after the fact, and not in such a good way.