Last Updated: 26th October, 2019
Data Security: A single lot with 20 servers and more than 500 drives showed up on Craigslist last year for sale. The problem – they held 13 TB of data, including one database of 3.8 million customer records and another with 258,000 entries listing full credit card payment details, all unencrypted. The equipment, some of it sent in by customers for repair, had been abandoned by a bankrupt electronics retailer.
This case was ultimately reported after a good tech Samaritan got curious. Most of these breaches, however, never result in a notification email to individuals whose information may have been compromised. In fact, sourcing valuable data from the e-waste stream may be the perfect crime, both profitable and largely undetectable.
The current push toward a digital transformation can only exacerbate the problem. Enterprises are rapidly migrating to the cloud. As IaaS and SaaS replace legacy infrastructure and the applications running in the data security center, companies are getting rid of on-premises and co-located hardware and, in many cases, closing entire facilities.
Even organizations determined to retain ownership of core business systems are investing in advanced technologies capable of delivering on the promise of the software defined data security center and keeping up with the computing demands of Artificial Intelligence.
IT organizations are in a transitional phase, and this is leading to an aggressive cycling of older equipment, which must be decommissioned and processed. Enterprises are courting risk by mishandling the data contained on IT assets sent to the resale market and those tagged for recycling.
Data Security: The Industry Remains Underprepared
The bane for data security professionals is the frequency with which basic measures could have safeguarded confidential information, whether it’s applying a patch to fix a known, or instituting secure asset decommissioning procedures.
Perhaps most disturbing, despite over a decade of reports about the vulnerability of physical assets – remember the Veterans Administration breach? Many data security center professionals remain blasé about the threat posed by their used equipment.
More than half of organizations‘ content themselves with using free online tools to manually erase data, eventually. Even then, drives may be removed and stored on site for weeks, months or years before such minimal effort is made to eradicate private information.
The implementation of the GDPR and next year’s rollout of California’s digital privacy law are increasing the regulatory risk associated with any compromise of sensitive data securely. The highest cost is often lost reputation, as customers lose trust in the organization’s ability to protect their personal and financial information from bad actors.
Asset And Data Security Measures
Enterprises are right to look to their used IT assets as a potential revenue source. For example, by tapping the resale market, my company generated $42 million for customers after just 12 months. Companies can leverage outsourcing providers to offload such hardware or handle the decommissioning and resale processes internally.
Either way, it’s essential that appropriate procedures be followed to properly decommission equipment – test, wipe, reformat, and when necessary, destroy drives to ensure the highest level of data security and keep customer data safe.
Enterprises interested in upgrading their decommissioning data security and environmental measures should look at the following resources:
- U.S. Environmental Protection Agencies Waste Wise Program
- Electronic Equipment (WEEE) Directive and European Union’s Waste Electrical
- Standards and guidelines issued by the National Association of Information Destruction, Base Action Network e-Stewards Program
Bypassing an in-depth study of current best practices, a short checklist for responsible decommissioning should include:
- Tracking of all decommissioned hardware at every stage
- Quarantined storage with limited, monitored access
- Department of Defense processes for data wiping
- Separate drive reviews by multiple certified technicians to ensure full data destruction
- Shredding of any non-functional disks by a certified provider
- Secure transport of remnants for recycling into raw materials or renewable energy, per government standards
- Documentation of all data destruction and Responsible Recycle certifications
- Third-party auditing to ensure all critical processes are followed
Even as the data security industry helps enterprises prepare for increasingly sophisticated cyber-attacks, we must continue to underscore the importance of physical asset security.
Companies cannot afford to allow high-profile, technically impressive data security breaches covered in the news to distract them from deploying routine safeguards while sensitive information walks out the back door.