Bruce Andrew, EVP Marketing & Customer Experience, Shred-it
As organizations implement new computer hardware, they are faced with the issue of what to do with their older IT assets. Proper disposal and destruction of electronic data storage devices is important not only to keep confidential information safe, but also to keep organizations compliant to laws and legislations around storing and disposing of Personal Health Information and Personal Identifying Information. A data breach has many consequences – financial loss, reputational damage and also legal repercussions.
Online Predators and Digital Security
Prominent victims like Home Depot and Staples were just two of the hundreds of major breaches occurring over the past year, making 2014 the ‘year of mega breach’, according to the Ponemon Institute. In a report on the Cost of Cyber Crime, the Ponemon Institute also says that as more sensitive and confidential information and transactions move onto the cloud, the number of online attacks continues to increase. In the same report it is shown that currently there are an average of 138 successful cyber-attacks per week in the US, a number that has risen significantly over the past five years. That large companies with massive IT security infrastructures are becoming victims highlights the sophistication of the attacks as well as the dangers for businesses of all types.
Rising concern over online security breaches has created a positive shift in behaviour among senior management in larger organizations. According to the 2015 Shred-it Security Tracker, a survey conducted by Ipsos Reid, 85 percent of c-suites executives surveyed reported having a cyber-policy in place and 33 percent recognize online threats as the biggest information security risk to their organization. While c-suite executives are placing a greater priority on information security practices, small business owners are falling significantly behind in their commitment to digital information security and need to examine their policies and procedures to ensure they don’t fall behind in protecting their livelihood from online threats.
Despite almost half of all small business owners surveyed stating they believe online threats pose the biggest information security risk to their organization, only 37 percent have a cyber-security policy in place.
When you consider that the average cost of cyber-crime incurred in 2014 was $12.7 million (according to the Ponemon Institute), if small businesses continue to lag behind their larger counterparts, they’ll increasingly expose themselves to not only theft and fraud, but severe financial repercussions that could result in bankruptcy.
There are however some steps that small businesses can take that won’t require a huge capital investment.
• Encrypt employee smart phones so that data is secure if phones are lost or stolen.
• Regularly update software to ensure security holes are patched.
• Limit access to network folders with sensitive information.
• Install anti-malware software on all computers and block access to risky sites.
Cyber-security policies protect both digital and paper documents
Paper remains a core component of office life, and as such, there are still plenty of printers, photocopiers, servers, external hard drives and similar devices in every office. What people often fail to realize is that the devices they use to copy, scan and store documents contain hard drives that store the confidential information passing through. Nearly every digital copier built since 2002 contains a hard drive –just like the one on your personal computer - that stores an image of every document. Additionally, according to IT consultant George Hillston 80 percent of corporate laptops and desktops contain sensitive information on their hard drives. Despite this, little attention is paid to what happens to these devices when they are no longer needed. Hillston also says that proper precautions for disposing of the devices, and in turn the confidential information stored on them, is rarely taken and devices are often stockpiled instead of being destroyed.
According to the 2015 Shred-it Security Tracker 37% of US businesses surveyed have never disposed of hard drives, USB’s or other hardware that contains confidential information. That translates into a lot of potentially confidential data that could fall into the wrong hands. Recently, Simson L. Garfinkel, postdoctoral fellow at the Center for Research on Computation and Society at Harvard University, examined 1,000 used hard drives purchased on sites like EBay, each of which had been considered ‘wiped clean’, and found highly sensitive data including credit card information, Social Security numbers, tax records, addresses and other pieces of personal information on each.
Unfortunately, IT departments don’t always have the resources necessary or a protocol in place to effectively destroy hard drives and rely on wiping data from their electronic devices. However, the only way to verify that the data on them is completely gone is to securely destroy the hard drive before throwing it away, recycling or selling the device.
There are three simple workplace guidelines that businesses need to remember designed to safeguard hard drives:
1. Perform a regular cleaning of storage facilities and avoid stockpiling unused hard drives
2. Destroy all unused hard drives using a third-party provider who has a secure chain of custody and confirms destruction, to help give you peace of mind and ensure your data is being kept out of the hands of fraudsters
3. Regularly review your organizations information security policy to incorporate new and emerging forms of electronic media
More than ever, businesses need to consider their data security as a whole and have a plan in place that will ensure their and their clients’ data is safe. Neglecting to take the proper precautions today sets up businesses to be tomorrow’s victims.