Do you know where your hard drives go at night?
By Sean Gouhin
With contribution from Charles Robbins
Columbus Business First
“A remarkable number of data breaches are the result of reckless or intentional mishandling of loose media, and many of those breaches are caused by third-party vendors handling the data-bearing devices.”View the Article
An organization’s information is the lifeblood of its business and must be protected at all costs. Rarely does a day go by without a major data breach hitting the headlines – Target, JP Morgan Chase, Equifax, Facebook – the list grows daily. The ramifications of a data breach are devastating, and many times will put a company out of business altogether.
No organization is immune and it is no longer a question of “if” you will be breached, but “when.” Further, the costs to address such breaches are skyrocketing, regulatory fines and penalties are severe, and brand compromise is real. As such, an organization’s data, and as importantly the data-bearing devices that house that data, must be continually tracked, contained and ultimately destroyed when no longer utilized, all of which must be diligently verified.
Cyber security protocols are ineffective and non-compliant when data-bearing devices are permitted to leave the four walls of a facility for any reason or allow such devices to be handled outside of SOC or ISO certified procedures. Such protocols can make an organization that much more susceptible to data breach. Business leaders may believe that their online data security processes are sufficient, but what happens when their data-bearing devices fail or are decommissioned such that they are disconnected and become so-called “loose media?” The data still remains and is accessible, but the online protections are gone. Data at rest becomes data at risk.
A remarkable number of data breaches are the result of reckless or intentional mishandling of loose media, and many of those breaches are caused by third-party vendors handling the data-bearing devices. Sepp Rajaie, CEO and founder of TechR2, LLC, cautions business executives that the threat of third-party breaches cannot be ignored. “Business data is under ferocious attack by the dark side.
If cybercriminals cannot get to a company’s data directly, they will look to penetrate through third-party sources and what better way to do so than through discarded data devices. The blind trust that organizations put in third-party associates to protect their loose media is alarming and, frankly, irresponsible,” said Rajaie.
What can a company do to protect against a data breach when it comes to its loose media? We suggest adhering to the following internal policies.
- Implement a robust cybersecurity framework and subject it to independent risk analysis at least annually. The risk assessment should comply with high-level risk management standards. Know the applicable regulations – compliance is critical.
- Never lose control of your data-bearing devices. The days of sending these devices offsite to third-party shredding facilities are over. The risk is just too great and a transfer of “chain of custody” will not protect you. All media sanitization must be done on site, within the four walls of your organization. Once the data is eradicated, then, and only then, can the hardware leave your control for disposal.
- Maintain digital, perpetual inventory and tracking of all loose media and the destruction of its data. Reconciliation and auditing are imperative.
- Manage your third-party relationships. Know who you are dealing with and ensure that third-party vendors are appropriately vetted. An organization that has access to your company data must be independently certified for information security, and its representatives must be properly and continually trained.
- Budget and deploy adequate resources. Media sanitization must be adequately funded and cannot be an afterthought. Simple common sense dictates that a complete A to Z data protection solution is necessary.
- Communicate with the brass. Make sure that C-suite level executives and board members are involved and educated on the process and everchanging regulations. After all, they are personally on the line.
The best practice media sanitization solutions ensure that data-bearing devices never leave an organization’s data center until the data is tracked, contained, destroyed and verified. Following this protocol will keep your organization compliant and help to ensure that you never lose sight of where your hard drives go at night.
For more information on secure media retention processes and best practices, please visit www.techr2.com or www.ibm.com.
TechR2® is the industry leader in data eradication solutions with sound experience and best practices. TechR2® is the owner of the patented Tear-A-Byte® solution which presents a Track-Contain-Destroy-Verify method unmatched. TechR2® maintains ISO 27001, 14001, 9001, OHSAS 18001 certifications and its risk assessment provisions are ISO 31000 compliant.