Most companies have some method of data breach protection in place, but data breaches are not all alike so how do you know you’re fully protected? There are several ways a data breach can occur. The Identify Theft Resource Center currently tracks seven categories for data loss methods1. These categories include,
- Insider theft,
- Hacking/skimming/phishing,
- Data on the move,
- Subcontractor/third party/business associate,
- Employee error/negligence/improper disposal/lost,
- Accidental web/internet exposure, and
- Physical theft.
Three of the most common causes of data breaches involve the physical loss or theft of devices, risks when partnering with a subcontractor, and improper disposition. These ‘non-technical’ causes can tend to be overlooked as much focus is placed on the more challenging data threats such as hacking. Since hacking, skimming and phishing are threats that are continuously modified they understandably consume much of the focus when it comes to making efforts towards data breach prevention. Consequently, this leaves some of the alternative methods to receive much less attention allowing for security gaps.
Some of the devices that are most overlooked however are the ones no longer in use. Regardless if proper steps are taken there are loopholes that exist that, if not carefully managed, could expose data and pose just as big of a risk as other categories. Here are some ways retired IT assets can expose data.
[bctt tweet=”Some of the equipment that is most overlooked are the ones no longer in use. ” via=”no”]
1. Data wiping failures
For hard drives that undergo data wiping, various methods and options exist. There are programs you can purchase and there are companies who can do this for you. If done correctly, data wiping procedures are generally 99.999 percent effective, a percentage acceptable even for the United States Department of Defense. While performing this task internally can be a legitimate solution, this statistic holds true only “if done correctly”. Therefore, it’s recommended to ensure accountable data destruction by outsourcing this service, especially for companies in need of wiping a large amount of hard drives.
It is advised to work with a vendor who is capable of maintaining the system development to support ongoing updates as well as fail-safes for scenarios where the wipe is unsuccessful. This will help you feel more confident that your vendor is continuing to improve their systems so you know their solution today, will also be viable tomorrow.
2. Gaps in security when items are in transit
Electronics tend to be one of the more sought after products when referring to cargo theft. In 2012 Freight Watch International provided a global average value per theft incident of $382,732 for electronics2 and this doesn’t take into consideration the value of the data stored.
It is important to point out that when a vendor drives away with your retired IT equipment the risk isn’t removed as well. If a company’s laptop was stolen from a truck and data were exposed, the company would still be liable. Therefore it is always recommended to have a dedicated truck that only holds your material and to ensure there is a seal on the back of the truck that is recorded prior to departure and upon arrival at the processing facility.
3. Poor tracking of devices (Items going missing)
While it’s important to ensure secure transportation of IT assets, it doesn’t just end there. The next step is making sure all items will remain secure once they arrive. Security and tracking of IT assets while they are processed at the disposal facility is important for a few different reasons. The security features of the building (which should typically involve restricted access, 24/7 surveillance, on-site guards, metal detectors, and more) will protect any confidential or proprietary equipment that could potentially exist. Otherwise thorough tracking of assets through serial number capture, scanned barcodes and sophisticated internal reporting systems will provide you with the ability to understand where your assets are and report back on these items for internal records.
Security certifications and standards can help businesses identify and understand security measures in place. In understanding security measures more efficiently, IT executives can quickly and easily narrow down their vendor selection. While vendors without security certifications could very well offer a suitable high-security service, you just won’t know for sure until you do further due diligence.
These critical elements of data protection, while significant, are only a small portion of what should be considered when discarding old devices. For a more detailed overview of security considerations, download this white paper on how to avoid a data breach during IT asset disposition.
Sources: