Not a week goes by without news of another data breach somewhere. Cybercrime, from phishing attempts and acts of ransomware all the way to state-sponsored attacks, is becoming more difficult to stop at the organizational front door.
However, businesses needn’t despair. These may be shark-infested waters where even the most vigilant organizations fall foul of security lapses, but the riskiest of variables remains within your grasp: your people and the processes under which they operate.
Because when the people in your company understand the importance of IT process compliance and when security is no longer viewed as a series of dictates from an over-zealous IT department, everyone in your organization benefits, including your customers.
Let’s take a look at some key aspects of data security affecting companies large and small, together with examples of when it goes wrong:
I’m a small business so data security doesn’t really apply to me, right?
Wrong. When it comes to data security, it doesn’t matter whether you’re J.W. Marriott or the local gym: everyone needs to take the protection of business data seriously.
Cyberbandits are a cynical bunch and will strike wherever they sniff out opportunity. Take ransomware attackers, who are particularly fond of smaller businesses such as accountants or law firms where real-time access to local data is mission-critical.
Unfortunately, having your data held hostage by ransomware is no laughing matter. According to 2019 research from Coveware, the downtime costs of a ransomware attack may be as high as ten times the actual ransom amount.
What’s more, the way attackers are breaching security systems is often surprisingly straightforward: they prey on human weaknesses with increasingly deceptive attacks that allow them to gain entry into a company’s systems before spreading their tentacles across your network.
“We expect phishing-based attacks to increase in market share as social engineering techniques evolve and employee security awareness continues to be a hard problem to solve,” the Coveware report warns.
A strong culture around data security starts with IT hardware
Breaches in a company’s data security are often associated with software vulnerabilities and hackers gaining access to systems that they shouldn’t. IT managers understandably worry about user authentication and granting higher-level permissions only where strictly needed.
However, the greater risk to a systems breach is a more fundamental one than permissions management and software patching. At a core level, does your organization have a robust and sustainable approach to tracking and managing your IT assets, whether software or hardware?
Dr. Barbara Rembiesa, head of IAITAM, the association body for IT asset management (ITAM), says it’s essential to comprehensively track all IT assets. “A company can throw all the billions it wants at CIOs, cybersecurity divisions and the like, but if it does not have ITAM procedures in place, it is not secure,” she remarks.
This applies not only to managing your deployed hardware but IT equipment that is end-of-life or surplus to requirements. “Absent or incomplete ITAD (IT asset disposition) procedures are problems that grow each year as the business world’s reliance on technology grows,” Rembiesa says.
It must have fallen off the back of a truck
Often times, bad actors don’t even need to hack into systems. They simply wait for increasingly mobile and distracted workers to leave devices containing company information unattended in public.
According to a Freedom of Information (FOI) request in the United Kingdom, more than 26,000 mobile devices and laptops were handed into lost property on the London public transportation system in the 12 months leading up to April 2018. One can only guess how many missing devices were never recovered.
If you thought the problem was confined to workers being careless with devices on their commutes home, consider the case of a leading Australian bank that concluded the personal information belonging to 12 million of its customers that went missing during a data center decommissioning may have fallen off the back of the truck carrying the magnetic tape drives to a secure facility to be destroyed.
According to a 2018 report from BuzzFeed, Commonwealth Bank hired accounting firm KPMG to investigate the case of the missing tapes and determined that the drives were probably destroyed as planned. However, it remained unable to find any certificate of destruction to prove this. In the meantime, KPMG sent a forensic team to retrace the journey of the truck that carried the storage media but was unable to locate the missing horde.
On the topic of data disappearing into thin air, the Cremation Society of Pennsylvania was forced to contact more than 24,000 of its members to disclose that a storage drive containing their personally-identifiable information went missing in transit from Pennsylvania to corporate headquarters in Texas. According to a report from Pennlive, the package arrived but was missing the all-important storage drive. The society offered credit monitoring and identity protection services to affected individuals.
Or heed the report of the German laptop that turned up for sale on eBay containing military-grade secrets. Presumably the device skipped the line for data sanitization prior to disposal. Or consider the story of the two Dutch hard drives containing the details of millions of organ donors that went missing from government custody.
Sometimes it’s literally a case of daylight robbery. Take the November 2019 case of corporate hard disk drives left in a bag in a Facebook employee’s car. Stolen in what Facebook described as a “smash and grab,” the drives contained the confidential payroll information, including social security numbers, of approximately 29,000 Facebook current and former employees.
A bad workman blames his tools
Even where your storage drive is wiped and certificates of sanitization are presented, are you sure the data is truly gone? There’s a lot of talk from ITAD companies about the thoroughness of their data erasure processes, but you should leave nothing to chance.
Experts agree. The challenge of ensuring thoroughness of data sanitization is usually with process rather than policy, says Moor Insights & Strategy senior analyst Steve McDowell. “Most IT organizations do have policies around this, but proper scrubbing and recycling of hard drives and other devices is hit-or-miss, even when a policy is in place,” McDowell told Data Center Knowledge. “Most organizations are savvy enough to remove drives before scrapping computers, but the disposition of those drives is often little more than the electronic recycling equivalent of a landfill.”
Not that Do-It-Yourself wiping is a good idea either. Look for ITAD companies that offer industry-leading accreditations such as ADISA and that can explain knowledgeably exactly how the wiping process will work for your storage media.
Seriously we’re not like the other guys
Even where your ITAD vendor talks the talk and shows you all the right certificates, it’s still worth asking a few more questions.
Take the case of the leading Washington state company that assured its range of high-profile customers it was disposing of their used computer monitors in full compliance with EPA requirements inside of the United States. Instead, it was secretly shipping the monitors to Hong Kong, where worker protections against the potentially dangerous mercury inside the monitors are significantly lower and disposal costs are significantly cheaper as a result.
Just having a responsible recycling certificate is table stakes these days. While one bad apple shouldn’t spoil the bunch, it is a cautionary reminder to thoroughly check out your vendor’s credentials.
Why process really is the answer
According to Accenture’s 2019 Cost of Cybercrime study of more than 2,600 senior IT leaders, humans do remain the weakest link when it comes to data security. Whether it is bad actors or distracted workers, there is a threat around every corner. A culture of constant vigilance driven by strong company policy around data security is the best approach to minimizing your exposure to breaches.
This policy should extend to your contractors as well as your vendors, and anyone else who may have access to your company information and that of your customers. Robust workflows that are meticulously monitored and explicitly documented are the best possible response to a world of increasingly porous data.
And as companies continue to invest in IT hardware, take no chances in ensuring that the data on used and retiring devices is kept as secure as humanly possible through a rigorous ITAD program overseen by your company’s senior leadership.
As industry group IAITAM puts it, a company without a rigorous ITAD program “runs the risk of a breach from a much simpler problem: a piece of hardware that was either not properly tracked to begin with or stops being tracked before its final disposition is confirmed.”
Even where your ITAD vendor talks the talk and shows you all the right certificates, it’s still worth asking a few more questions.
Of course, it is impossible to entirely eliminate the risk of a data breach. However, proceeding on the basis that absolute security means taking no chances and that policy enforcement is at the heart of a strong company culture will stand you and your business in good stead.
Read more about operational advances in protecting information security in the data center or get in touch with Horizon for expert guidance on secure IT asset disposition.