Paper vs digital documents: How to lessen the risk of a data breach
There was a 125% increase in cases of identity theft between 2007 and 2017, researchshows. Most of which occurred online.
Using the latest technology, cyber criminals have become more creative with how they commit fraud. In 2017, hackers infected more than 230,000 computers with a piece of ransomware known as WannaCry.
Exploiting a hacking tool leaked from the National Security Agency in the US, the programme spread itself across vulnerable Windows systems and encrypted important files, making them inaccessible.
Victims whose files were targeted were forced to pay the attackers $300 in bitcoin to get them back. After three days, the ransom doubled. After a week, the hackers deleted the files permanently. The cyber-attack also affected a number of high-profile organisations.
According to reports, the WannaCry incident cost the NHS a massive £92 million in lost output from disrupted services and direct IT costs.
Losing important documents also puts firms at risk of breaching GDPR—the recent data protection regulations. For these reasons, it’s vital that companies become aware of the risks and the ways in which they can protect their sensitive data.
In most cases the solution is for businesses to keep their paper records in a secure location such as a storage facility, or store their digital files online with the correct security systems in place to combat any cyber-attacks.
Bring in the experts
For a comprehensive idea of all the risks associated with storing paper documents or important digital files online, we sought advice from the professionals:
Duncan Sutcliffe—director of Sutcliffe & Co Insurance Brokers
Zain Ul-Haq—head of cyber security at Cyfor
Jonathan Richardson—managing director at secure archiving specialist Russell Richardson
Every time a company employee handles sensitive data, there’s a risk of them making a costly mistake or losing the data completely. One way to avoid this is to transfer all paper documents to a secure storage facility.
Jonathan Richardson: “Off-site archiving services monitor all records continuously by CCTV and restrict access to security-checked staff only. For a full audit trail, a scanning system logs any documents that staff move or retrieve.”
If a company chooses to store digital versions of files online, anyone with access to those documents must have the proper training in data security. Systems should be set up so users only have access to the relevant data they need to fulfil their specific duties.
Zain Ul-Haq: “Countermeasures don’t just stop at the technical. Companies can prevent or mitigate inappropriate behaviour by staff by carrying out a reasoned risk assessment.
“We are still seeing businesses lack proper systems for handling and destroying data, use untested and inappropriate backup processes, grant administrator rights to all users, share passwords, and allow employees to connect personal devices to company networks.
“Gone are the days when companies could pass the headaches of cyber security to the IT department. It’s absolutely a business risk which one department or person can’t handle alone—it’s a team sport.”
Another human risk is the use of smartphones for both work and home.
Duncan Sutcliffe: “We let our kids on them, download games, do our shopping, browse the internet and share our lives on social media. This behaviour is so risky and gives criminals access to so much.
“A basic technical level of cyber security will keep out most problems but then the weak point is the user. If they are careless enough (or untrained) they can easily click on a malicious attachment or link in an email or give important information away over the phone or in their social media posts.”
Are SMEs a target?
In this survey by professional indemnity insurance brokers PolicyBee, one-third of small businesses said they believe being hit by a cyber-attack is not a matter of ‘if’ but ‘when’. Yet despite this, 43% of SMEs admitted they didn’t have a plan in place for withstanding such an attack.
Among the numerous major cyber threats to which SMEs are susceptible is the ‘hack attack’, where a hacker gains access to a company’s data—credit card information, for example—through its network, typically by abusing an unpatched vulnerability within the software.
Falling victim to this kind of data theft can tarnish the reputation of many a small business and cause it to lose valuable clients. Without a budget set aside to deal with the aftermath of a cyber-attack, the company could struggle to pay the costs of repairing any damage it’s suffered.
Duncan Sutcliffe: “A single SME might not make a criminal rich but they are easier to attack because they spend less money on security and training. Criminals will prefer to target numerous easy SMEs rather than one difficult large organisation.”
Almost a quarter of SMEs still manage their finances entirely on paper, according to this survey by Simply Business.
Jonathan Richardson: “It’s essential that companies organise and keep wage and salary records in a secure location for the retention period of six years, before disposing of them thoroughly.”
Need for security
Businesses that store documents online in ‘the cloud’ could come under attack from cyber criminals if they don’t have the correct software and up-to-date technology to protect sensitive information.
Duncan Sutcliffe: “Not having up-to-date and patched software is a big problem. When your computer suggests you install an update it’s usually because the software company has found a problem which allows criminals to operate and the update will ‘patch’ this hole. Older systems like Windows XP are no longer supported so no longer get patches.”
Any business that stores data entirely on digital files must make sure their software is current and compatible with the formats their files use. By failing to do this, they risk losing access to the files in the future—as software dates and becomes incompatible—and having to pay for the files to be converted to a usable format.
Zain Ul-Haq: “Prevention is better than cure, so businesses operating with any digital presence need to fix their online security. There’s no second chance when dealing with data breaches—the stakes are too high and thus must be right first time.”
One way of keeping paper documents safe is to store them off-site with an archiving company. Businesses that prefer to store files in the office must install the correct security features to ensure only those workers with the proper authorisation can access them.
Duncan Sutcliffe: “Old-fashioned security like locked cabinets, locked doors, locked windows, intruder alarms and procedures for transporting documents safely are the best ways to ensure paper documents don’t get into the wrong hands.”
Sometimes, when funds are limited, choices have to be made.
Jonathan Richardson: “If businesses don’t have the budget or time to set up an online security system, to avoid the risks of online fraud they may need to consider keeping only paper versions of files in a safe space, until their situation changes.”
Keeping up with criminal techniques
Businesses need to be aware of the variety of methods online hackers use to steal data. One of these is known as ‘drive-by’ downloading, which is when someone is tricked into downloading a virus or malware (malicious software) onto a device.
Duncan Sutcliffe: “It’s impossible to be 100% safe but you can mitigate most common threats by taking some simple technical measures. Every small improvement you make reduces the risks to your business.”
According to the National Cyber Security Centre, the essential technical controls for cyber security include:
- installing a firewall to secure the internet connection
- choosing the most secure settings for devices and software
- controlling who has access to data and services
- using antivirus software to protect against viruses and other malware
- keeping devices and software up to date
However, data isn’t just stolen online. When a business throws out important paper documents without shredding them, it’s still possible for thieves to use the information they contain.
Duncan Sutcliffe: “There’s an expression called ‘dumpster diving’, which is where criminals go through bins to find valuable information. Traditionally, it’s also been a popular way for journalists to get information on celebrities and politicians.”
Although businesses might see going paperless as a way of freeing up space, going digital can expose them to online fraud if they don’t implement the necessary protection to thwart any malicious threats. Using an off-site archiving service enables the business to clear the space their physical files accommodate, while keeping them in a secure environment.