What are the consequences of not having an onsite data destruction plan?
Wouldn’t it be nice if data at rest did not have to be a concern on a failed hard drive, or on old assets being removed from your network? It would, right? Unfortunately that type of future will not be ours anytime soon. What are the REAL consequences of not having an onsite data destruction plan?
It doesn’t take a catastrophic event to cause a data breach. A breach can simply be started with a misplaced hard drive, a stolen flash drive, or an employee or vendor who has not been properly taught how to protect the data they interact with.
Scenario 1: Imagine one of your employees needs to leave work early for some reason or another, pretty standard. They decide before they go they need to take some work home with them. They pop in their flash drive, transfer a few files and are out the door. While at their appointment their car is broken into, and among the items taken is the flash drive. What you didn’t know was within that data was some of your customer’s personally identifiable information (PII), and now it’s no longer in your possession. This has happens more often than you would think, and in this particular instance it led to the exposure of almost 10,000 records.
Scenario 2: Your organization is having routine maintenance performed within the data center. During this time you are expected to replace any failed drives within the environment. You find and replace three failed drives and place them on a table off to the side. You complete your task and are interrupted by a colleague asking for your help with something else. When you come back to your work you notice the three drives you replaced have gone missing. What you don’t know is that while you were away a third party vendor was also performing routine maintenance and mistakenly took the drives from off the table. It will only take one of those drives to be misplaced while in his/her possession to create a very large problem for your organization.
Scenario 3: Short staffed you are trying to update your tape catalog. You have an intern moving the old equipment from its original location down to a storage area. After everything is moved he/she notices a box of data tapes on a shelf. Recognizing that those don’t belong there, he/she moves them into a closet in the IT room. Now those tapes can be accessed by anyone who can gain access into that closet.
We have heard of, and seen, situations very similar to this. Data at rest has to be taken more seriously across the board. Most parties in an organization always see it as another person’s or department’s problem, it’s everyone’s. It is the duty for all IT members from the C-level down to put into place a failsafe data containment and destruction plan.