TECHNOLOGY
TECHNOLOGY
Data Destruction : Final Barrier to Protect Your Trade Secrets
For many businesses and IT staff , data security and privacy protection ( and budgets ) are focused primarily on cybersecurity . For good reason ; a digital fence is essential for keeping nefarious actors out of your network . Less glamorous and often forgotten or mishandled is end-of-life ( EOL ) data security . Often called the undertakers of the IT world , data destruction providers are the final barrier to protecting trade secrets and confidentiality . Why is data destruction important for aging , unused , broken or unneeded computers and IT equipment ?
Even when the computer reaches the end of its useful life , vital information on hard drives tucked inside servers , company laptops , tablets , POS devices , scanners , external hard drives , kiosks , and even copiers , is waiting if someone is looking .
Copiers ? Reported in 2010 by a CBS investigative team , 6000 returned copiers in New Jersey were tested for document storage . Downloads of their hard drives revealed confidential police reports , medical records , pay stubs and more . Thirteen years after that news report aired , copiers are still turned in with hard drives full of personal identifiable information ( PII ) and confidential company data .
Work-from-home employees present an even greater higher risk . “ There was a strong correlation between remote working and cost of a data breach , where more employees working remotely was associated with higher data breach costs .“ Source : IBM Security : Cost of a Data Breach Report 2022 .”
Data storage on retired data center equipment is another hot data opportunity for a data breach . NVMe drives can look like a matchbook or a stick of gum and blend right in with raw computer guts . “ Two different sources at a Fortune 100 insurance company confirmed that all hard drives had been removed from all the servers they were getting rid of ,” related Andrew Hurteau , Project Manager . “ Within hours , we found over 18 Terabytes of completely untracked added storage in firewalls and servers that had been completely missed .” In data liability terms , 18TB is equivalent to three hundred and eleven BILLION combinations of usernames and passwords . Or , 1.24 TRILLION credit card numbers . Or social security numbers .
It ’ s not just untracked data holding components , it ’ s untracked assets . If you don ’ t know what you have and where it is , it ’ s an opportunity for data theft . From the Harvard Business Review , Four out of five corporate IT asset disposal projects had at least one missing asset . More disturbing is the fact that 15 % of these “ untracked ” assets are devices potentially bearing data such as laptops , computers , and servers .” The risk and penalties of data security negligence
Proper data disposition isn ’ t nice to have , it ’ s a must-have . With the average cost of a data breach falling between $ 3-4.8M per the “ IBM Cost of a Data Breach Full Report 2022 ”, the losses can add up quickly :
Financial costs include fines , lawsuits and professional fees .
◾ Reputational damage to business and retail customers .
◾ Market share damage .
◾ Revenue loss due to customer flight .
◾ Cost increases are passed along to customers .
◾ High regulatory scrutiny .
◾ Loss of stockholder support . Know the law for your business
While there is no single , universal data and protection law in the United States , there are multiple regulations ( and some with real teeth ) focused on consumer protection , commerce and specific industries . Healthcare and pharmaceutical , banking and financial , public and private educational institutions , manufacturing , credit cards , government agencies and more are governed by overlaps in the Health Insurance Portability and Accountability Act ( HIPAA ), Health Information Technology for Economic and Clinical Health ( HITECH ), Fair and Accurate Credit Transactions Act ( FACTA ), Identity Theft and Assumption Deterrence Act , Sarbanes-Oxley Act of 2002 ( SOX ), Gramm-Leach-Bliley Act ( GLBA ), Bank Secrecy Act , Patriot Act of 2002 , US Safe Harbor Provisions , FDA Security Regulations ( 21 C . F . R . part 11 ), PCI Data Security Standard , National , State and Local regulations and , for anyone with a website , the European Union ’ s General Data Protection Regulation ( GDPR ). 11 steps you can take to protect your data
1 . Adopt industry and trade organization best practices .
2 . Assume that customer data , proprietary company information and industry secrets are more important than the IT asset itself .
3 . Work with your internal stakeholders like IT Asset Managers , CTOs and HR to determine data risk by department , job title , location and work assignment .
4 . Understand the legal requirements and data destruction requirements for your industry ( erasure , degauss , shredding )
5 . Work with a knowledgeable ITAD ( IT Asset Disposition company ) to create a program that meets your stakeholder requests , legal requirements and provides complete serial number tracking (“ chain of custody ”) for every IT asset you retire or release . Guardian recommends talking to these CIANJ members : AnythingIT , Baroan Technologies , Safari Solutions and XSolutions to find a good fit .
6 . Always use a NAID AAA Certified data destruction provider for auditing , verification , data destruction , reporting and certification of all data-bearing equipment .
7 . Properly budget for data destruction as a line item and designate a department responsible for execution , reporting and recordkeeping .
8 . Insist on onsite data destruction to ensure that live data is not lost or stolen in transit .
9 . Create an evolving education plan that trains your IT techs and IT Asset Managers about hard drive form factors and how servers , firewalls , Apple products and other office equipment use data storage .
10 . Work with your purchasing and IT departments to record all data-holding devices and add-ons including SD cards , PCIE , M . 2 , SATA and NVMe . The more you have on your verification list , the fewer surprises you ’ ll have .
11 . Open up every device – front , back and below – at disposition to check for and remove embedded hard drives or expanded memory .
CIANJ Member Glenn Laga , Guardian Data Destruction ’ s President and Founder notes , “ Our onsite data destruction services include hard drive and SSD erasure and shredding to ensure that data on any device is completely destroyed . For remote workers , there ’ s a cloudbased erasure system with full documentation that wipes drives before shipping . Our services , provided exclusively through ITADs , VARs , resellers and MSPs – never direct , are often the final data protection for a company and its customers . The only way to prevent a data breach or legal action is to destroy the data before IT assets are returned , shipped , warehoused , sold , donated or recycled .”
22 COMMERCE www . commercemagnj . com