Cyber criminals and those with more malicious intensions have long known that often the easiest way to penetrate a government or corporate network is to gain physical access to the network from the inside, exploiting access to variety of nodes, poorly protected passwords, or devices to upload malicious software directly to a system. Insider threats within an organisation can come from compromised or disgruntled staff, maintenance personnel, security personnel and even cleaning staff. Then there is the threat of physical damage to servers and network infrastructure that can come from terrorist acts, natural disasters, fire or flooding. In all of these scenarios, off-line physical back-up is the very last line of defence, if all else fails.
An expert understanding of accredited, certified, data safe, data cabinet and data room testing, and relevance of that certification in relation to risk and operation, is essential to avoid costly or even catastrophic mistakes. Considerations such as certification of fire resistance and burglary protection are just the starting point. Different types of data media have varying degradation levels under a range of stress factors. For example, humidity as well as temperature is a critical factor in preserving magnetic data in a fire, whereas paper documents have a far higher stress level, yet, it is often the case that safes or cabinets which may be barely suitable for storing paper documents, are being used in businesses and government departments to protect magnetic data and back-ups. In the current unregulated safe and vault market the majority of safes and cabinets it is claimed are suitable to adequately protect physical data back-ups from fire and unauthorised access have no proof of standard whatsoever, leaving businesses, and government departments with an entirely false sense of security that can lead to disaster.
N.A.T.O. Europe, The U.S. Air Force (Europe), The National Treasury Management Agency (Ireland), The Department Of Communications (NCSC Cyber Security) (Ireland), The Revenue Commissioners, Electricity Supply Board (Cyber Security) (Ireland), The Danish Defence Forces (Afghanistan), PayPal (Worldwide), Grant Thornton, The Insurance Institute of Ireland, The Royal College Of Surgeons, BFC Bank, Interxion Data Centres and many others ....
Our seminars on safes, strongrooms and HNW secure storage have been part of Continuing Professional Development for underwriters and insurers having been awarded CPD points by the Insurance Institute of Ireland and the Chartered Insurance Institute (UK).
How A Lack Of Knowledge Can Easily Lead To Disaster
Photos below show a Phoenix “Fire Chief”, one of fourteen units that was purchased by a group of Credit Unions for the protection of client documents and back-up data that would fall under the GDPR. The choice of unit was apparently based on several factors but the low price for a recognisable brand certainly came into it, however, when Certified Safes Ireland™ were asked to examine the units it became clear that rather than purchasing fire and burglary resistant cabinets at a good price, the client had in fact purchased thousands of Euros worth of relatively expensive light steel storage cabinets with no accredited certified fire or burglary resistance whatsoever.
Our examination found the following:
- There was no indication anywhere on the cabinets of a claim the Phoenix “Fire Chief” was fire resistant.
- There were no fire protection strips or seals anywhere on the cabinets.
- Air gaps around door frames were so wide the locking bolts of the cabinet were clearly visible. These gaps would aid airflow for combustion rather than deny it as well as allowing the locking bolts to be cut in seconds with a battery powered angle grinder. (Photo below - left)
- The only mark found anywhere on the cabinets was an unaccredited sticker which claimed the units are S1 security cabinets, the lowest level of protection under European standards. (Photo below - right)
Obviously, a metal cabinet with no accredited certified fire or burglary resistance is not what the owners of the units thought they had purchased. The mistake meant that data and documents held by the organisation were not being stored in compliance with the groups GDPR risk assessment, opening up the possibility of sanctions, and even legal action if unlawful destruction was caused to third party data due to burglary or fire. The fact remains however, that nowhere on the data sheet for the Phoenix “Fire Chief”did Phoenix make the claim that these units were certified for fire resistance. There is a reference to “Fire Resistance” which states “Recommended for 30 minutes fire protection for paper records” but as no accredited certification of fire resistance was referred to by Phoenix, this recommendation is simply the opinion of Phoenix Safe Company Ltd. The name “Fire Chief” might give some people the impression that the unit is fire resistant but the only certification mentioned on the Phoenix “Fire Chief” PDF is a claim that the cabinet is an S1 Security Cabinet certified by Trezor Test in the Czech Republic. S1 is the lowest level of burglary resistance for a cabinet test with hand tools. The test time for S1 is 1.5 minutes.
What Certified Physical Data Storage Certification Looks Like
EU Parliament regulation 765/2008 created the system that provides the legal basis of accreditation for the certification of a data safe or cabinet for burglary resistance, fire resistance and structural collapse. Certification for physical data storage will be indicated under standard EN1047-1 (Data). Accredited European certification that a safe or cabinet is suitable to protect paper or data will always be displayed on a stamped metal plate on the inside of the unit's door. This information will never appear on a sticker.
Data certification is completely separate to any burglary resistance certification plate that a safe may have. There is absolutely no connection between the grade of a safe and the unit's fire resistance. The same information will be available on accredited certification documents which are freely available and should always be asked for.
Below are the logos of two certification bodies with European accreditation to certify data cabinets, data safes and data rooms for fire, burglary resistance and structural collapse. The example certification plate below is from ECB-S.
EN1047-1 is the data standard for safes and cabinets. S60P and S120P are standards for the protection of paper documents both having an internal temperature limit of 170°C during testing. Digital data units marked S60D and S120D have an internal temperature limit of 70°C and a humidity limit of 85% during testing. Units marked S60DIS and S120DIS have an internal temperature limit of 52°C and a humidity limit of 85% during testing. Certification plates for this standard will appear separately to any burglary resistance certification that may appear on the unit
Common Non-European Fire Resistance Marks And What They Mean
Nordtest NT FIRE 017
The most common mark you will come across in the market is without doubt the NT FIRE 017 mark. NT FIRE 017 is a conformity assessment of Nordtest originally founded in 1973 under the Nordic Council of Ministers. This is NOT a European standard.
Important differences compared to US & EU testing:
NT017 may be applied to safes and cabinets of identical construction to a tested unit, provided that the external volume of the untested units are not less than half of, and not more than twice the volume of the tested unit. This means in a series of five sizes it is usually only necessary that one unit is tested, leaving the majority of cabinets and safes marked NT017 in such a series not tested. Additionally internal heat during the NT017 test is measured by thermocouples (sensors used to measure temperature ) placed at the centre of internal panels rather than at the corners as is the case with European and US testing. This placement of thermocouples will of course produce a more favourable result as panels will heat from edges to the centre during a fire. Additionally, NT017 does not include a drop test to simulate structural collapse of the kind that would likely happen in an intense fire.
Underwriters Laboratories (US)
Less common than the NT FIRE 017 mark, The American UL certification is almost identical to European fire testing, however only units marked "impact tested" have been tested for structural collapse. As the mark is not accredited according to ISO/IEC-17065 it may not have the same legal standing as an accredited European standard for litigation purposes related to the GDPR.
GDPR Compliant Tracking Of Access To Data
We offer a range of inexpensive, state of the art, data safe locks that can be easily retro-fitted to many existing data safes, data cabinets and rooms. Not only do these locks record access automatically but they provide a data controller with an easy method to download secure bank level audit trails via a USB flash port and FREE bank standard audit software. 1000 events and users are identified by a two digit number at the beginning of their access code. These audit trails can be downloaded and stored at regular intervals. Theses locks are the very definition of the “Privacy by Design” concept of the GDPR when it comes to tracking access to data storage. Originally developed for high risk banking, cash-in-transit, the system is demonstrably secure, restrictive, hierarchical and entirely suitable for purpose, quickly and affordably building automatic privacy and security into physical data storage.
European Fire Standards For Physical Data & Paper Documents
Protection class quality characteristic for fireproof protection
European Standards EN1047-1, EN1047-2 and EN15659
|Protection classes of products for the protection of data and systems|
|Light fireproof unit||LFS 30 P||EN 15659|
|LFS 60 P||EN 15659|
|Data cabinet||S 60 P||EN 1047-1|
|S 120 P||EN 1047-1|
|S 60 D||EN 1047-1|
|S 120 D||EN 1047-1|
|S 60 DIS||EN 1047-1|
|S 120 DIS||EN 1047-1|
|Diskette insert||DI 60 P/DIS||EN 1047-1|
|DI 120 P/DIS||EN 1047-1|
|Data container||C 60 D||EN 1047-2|
|Data room||R 60 D
|R 60 D
The abbreviations in the table stand for:
The Problem Of Asbestos In Pre-2000 Fire Safes And Cabinets
Data safes, document and filing cabinets that contain asbestos continue to be sold on the second-hand market in Ireland, by well-known safe suppliers. The ban on asbestos in Ireland in 2000, far from seeing a reduction in the amount of safes and cabinets that contained asbestos instead saw a surge, as thousands of contaminated safes became available on the second-hand market as they were removed from all over Europe and the UK. With a low level of awareness when it comes to the issue of asbestos in safes and cabinets, huge quantities of these contaminated products have been sold, sometimes being passed off a "almost new" having been re-sprayed and refitted. In Ireland’s case, importation of contaminated safes, fire cabinets and data safes has happened on an industrial scale and continued well after our national asbestos ban thanks to the free movement of goods within Europe right up until Brexit. Any safe manufactured before 2000 must be presumed to contain asbestos.
As things stand today in 2022 data safes and cabinets that contain asbestos continue to be sold on a daily basis, all over Ireland, by prominent safe suppliers and in private sales. Large numbers of these units are not only in circulation, but more are currently being removed from bank and post office closures where there is no accountability for their disposal, nor a requirement to verify that removal and disposal was done taking the likelihood of asbestos contamination into account. Most of these units make their way back on to the second-hand safe market and can be found for sale on classified ads websites or are sold as "refurbished" safes by well-known safe suppliers.
Chrysotile asbestos fibres, which in the case of safe and cabinet manufacturing are the main type of asbestos fibres we are concerned with, are highly carcinogenic if inhaled. Breathing in air containing even tiny amounts of asbestos fibres of the kind that may result from the opening and closing of a safe or filing cabinet door fitted with asbestos door seals, can lead to asbestos-related diseases such as asbestosis and cancers of the lungs and chest lining. Chrysotile asbestos was widely used in door seals on safes, fireproof safes, and fireproof filing cabinets as late as 1995. This invariably took the form of woven asbestos tape adhered around the door frame against which the door would close. It is this woven tape that causes many to be most concerned. Abrasion caused by the opening and shutting of the safe door or filing cabinet door in such close proximity to the user is a high-risk issue, particularly as someone could be opening and closing a unit for decades in a closed environment such as an office.
A study by the BZR Institute in Bonn, Germany, found that asbestos fibres released through abrasion by opening and closing a light metal door on an asbestos fire seal released enough asbestos fibres to exceed the maximum European exposure limit after just three opening and closing cycles.
A data safe or cabinet that contains asbestos within its structure is also a danger to maintenance technicians, locksmiths and fire fighters who may be called to a fire where such a unit is located. Due to their age most of these units are quite likely to have a mechanical key or combination lock and therefore likely to have a lock-out event at some stage. On many occasions this requires the safe, cabinet body or door, to be drilled open. Drilling a contaminated safe or cabinet will result in amounts of airborne dust containing asbestos in one of its most dangerous forms due to its incorporation into the body of many safes and cabinets as an anti-combustion filling material or as a curing agent in cement. In a fire asbestos from these units is likely to be released due to intense heat exposure and structural collapse.
Certified Safes Ireland™ director Alan Donohoe Redd is a member of the European CEN263 Working Group responsible for writing European Standards for safes, strongrooms (vaults), secure cabinets and physical data protection for the European Union. A registered NATO supplier and a longstanding member of the European Security Systems Association, Alan has a vast range of experience spanning almost 40 years and encompassing installation of safes, strongrooms, physical data protection, CCTV, alarms, access control, secure storage control systems and Sensitive Compartmented Information Facility (SCIF) specification, design, and installation.
Alan is an expert on standards and fraud issues related to secure storage in Europe and the UK, has had articles related to these subjects published by The Law Society Gazette and Irish Broker Magazine, has forced retractions of multiple false claims related to secure storage offerings to the public, including some published by the Irish Times, and has been pivotal in having misleading standards and practises recognised and withdrawn in Ireland, the UK and at a European level.
Due Diligence Notes
Contrary to what many people may believe the profession of "Locksmith" has long been recognised as one almost completely separate from the supply and installation of safes and strongrooms in the E.U. With most insurers and An Garda Síochána (Irish Police) advising against the use of mechanical locks on safes due to the ease of opening via non-invasive manipulation, the last connection between these two professions is quickly disappearing. There are exceptions to every rule, and a locksmith may have the necessary knowledge to correctly specify, survey for, and anchor a certified safe, however, most locksmiths have very little knowledge in relation to European standards for safes and The Private Security Authority (PSA) does not require any qualifications to issue a locksmith license.
Ireland and the UK are notorious black spots for fraud and misrepresentation in the safe supply sector. Well-known safe suppliers being penalised for tax evasion and having served time in jail are just some indications of a wide range of malpractice and illegal activity throughout the safe supply industry. We strongly encourage due diligence before engaging a safe supplier or having someone survey your home or business, irrespective of who recommends them.