Dubai: Thousands of companies in the UAE are at serious risk because they fail to destroy the data and confidential information contained in their waste and recycling processes. Recycling in the UAE is very common but awareness of the risks of data leaking is very low, and more companies need to audit what happens to confidential information on dumped papers and documents.
“The key question to ask is: when does the data or confidential information contained within the paperwork to be recycled cease to be readable and therefore not accessible to people outside of the organisation? ” said Neil Percy, VP for EMEA of Shred-it, a global leader in the information security business.
“Until the documents are destroyed and made unreadable, the confidential information on the paper is often accessible for people to use. This may include those with illicit intent and desire to act and use the confidential information for personal gain to the detriment of the company or individual who owns the data”.
Currently the UAE has only one recycling plant which focuses on the recycling and production of cardboard, so large volumes of paper going for recycling from UAE companies becomes an international commodity and is exported. Currently India and China are among the largest purchasers of used paper which means that tonnes of sensitive documents are lying around in open paper dumps with readable information on them until the waste paper enters and commences the recycling process.
“Organisations in the UAE have made significant steps to protect their electronic data but the same information is often printed and disposed of on a daily basis via recycling or waste, offering access to the same confidential information,” Percy told Gulf News.
Private sector
Shred-it is the largest global information security company in the world with more than 300,000 corporate customers world wide. It has 1,200 regular customers in the UAE for whom a total of 800 tonnes of paper containing confidential information is rendered unreadable by shredding and then recycled every year. The majority of these organisations are in the private sector, and many of them are local branches of global companies whose head offices dictate their policies while awareness in local organisations of the risk of data security breach is limited currently.
“Awareness in the UAE of the dangers of data loss and the risk exposure of confidential information, particularly when disposing of printed material, is low. And there is currently limited regulation in the UAE focusing on the areas of the DIFC or HealthCare City which have introduced regulations very much like those in the European Union,” said Neil Percy.
Around the world, the kind of corporate or government data which has been found in open sites includes photocopies of passports and other legal documents, bank statements, personal medical records, draft contracts, printouts of company budgets and important sales information.
“There are all sorts of sensitive documents, which may lie in a recycling bin for some days and often weeks [where it is possible to access them], before being taken to a paper recycling company and then often exported. During this time while in transit or in storage the fully readable papers will be exposed to threat of information security breaches, before going to a paper mill where they may also lie round before finally being processed” said Percy.
“At any stage the information on the discarded paper may be accessed either by chance or deliberately by criminals who know who to take advantage of where they may find and what they might find on the stored paper. Far too many companies are unaware of this risk, which they can stop straight away by effectively capturing, securely storing and ultimately shredding and recycling before it moves from their premises,” said Percy.
Inconsistencies in approach
This is a global issue, as many banks and companies use facilities handling high volumes of sensitive information such as call-centres in less secure parts of the globe. Inconsistencies in the approach towards security are presenting opportunities and targets for data thieves. “So it is important that their shredding policy is consistent globally and people are working to the same rules and standards,” he said.
Security concerns exist within organisations as senior management will have financials and reports, and HR has information, that would be a concern if this it became known to the employees. If such material is placed in open recycling boxes the information could be accessed by visitors other employees or even cleaners, “Insecure paper bins are good sources of information for potential data thieves,” warned Percy.
In addition to printed material Shred-it would advise other forms of confidential material should be securely handled and destroyed, including old hardware from electronic devices to their services. “Shred-it would urge organizations to review their disposal methods of hard disks, flash drives, memory sticks, and other devices which simple deleting of files may be insufficient to permanently prevent recovery of data” said Percy.
