It’s common knowledge that most data breaches are caused by user error. For example, lax security measures and bad daily habits create the perfect opportunity for hackers to swoop in and steal or encrypt data in a ransomware attack. Although poor security is the leading cause of data breaches, there’s another threat that can render even the best security worthless: hardware end-of-life.
To encourage businesses to improve overall protection when it comes to the data destruction process through IT Asset Disposition (ITAD), our team developed a list of 10 ways you can help your organization prevent a data breach. This list is based on various situations we’ve encountered during Apto’s 20 years of providing ITAD services.
Hardware End-of-life data breaches are a major problem
Most businesses sell, donate, or give away old computers without erasing the hard drive. But even deleting files isn’t enough because deleted files can be easily recovered. Even reformatting a hard drive can leave old data behind – a concept we explain in greater detail in an earlier blog: When does deleting a file not delete it?
According to Infosecurity Magazine, criminals salvage old hard drives from landfills and recover private data to use for identity theft. And it’s not just a few people here and there who scavenge sensitive data from old hard drives. Entire criminal organizations exist for this sole purpose, and they get their hands on sensitive data through legal means like eBay and Amazon.
The Real Cost of a Data Breach in 2021 - Time and Money!
According to the latest data breach report by IBM and the Ponemon Institute, the cost of a data breach in 2021 was $4.24 million USD, a 10% rise from the average cost from 2019 which was $3.86 million.
The time elapsed between the first detection of a breach and its containment is referred to as the data breach lifecycle. In 2021 it took an average of 212 days to identify a breach and an average 75 days to contain a breach, for a total lifecycle of 287 days! If a breach occurred on January 1st and it took 287 days to identify and contain, the breach would not be contained until October 14th. That is a long time for a business to be upended by something you can prevent!
1. Design the Process for Failure
Here are 10 Ways You Can Prevent a Data Breach
For instance, safe cars are designed with intentional crumple zones. If someone wants to break in badly enough, it eventually will happen. Make sure that when they do, you can minimize the damage.
- Encrypt your data (in motion and at rest)
- Disable (temporarily) the offending accounts
- Revalidate (more securely) any logins that seem suspicious
Many tech departments make the mistake of locking down IT sectors and call it a day. To ensure security, you’ll need to look beyond the tech department and into:
- HR – on and off-boarding employees
- Remote workers – protecting remote data
- Physical security – defending against physical access to sensitive areas
3. Plug Common Holes
OWASP, for example, provides a Top 10 list of the most common vulnerabilities. Do you have a mitigation plan in place for all of them?
4. Don’t Collect What You Don’t Need
This seems obvious, but in today’s Big Data world where data mining is the norm, it’s easy to overstep in the name of analytics. Do a thorough analysis of the effectiveness of the data that you collect and weigh the potential benefits against the responsibilityof protecting that data.
5. Minimize the Number of Storage Locations
A smart backup strategy requires that you have at least 3 copies (2 redundant onsite, and 1 offsite) of your data, but think carefully before expanding beyond this. Without a careful strategy in place, it’s easy to lose track of all of the storage locations. If you can't remember where your data is, you can't protect it!
6. Purge Old Data Responsibly
When data ages out and you no longer need it, are you purging it from your systems? Set appropriate expiration times. Then make sure that you use responsible data destruction methods, or partner with someone who does.
7. Train, Train Some More, and Train Again!
Just because you have a “policy” in place doesn’t mean that your people actually follow it. Educate employees on the importance of security to the organization and give them a high-level view of the risk and the goals you are striving for. If your employees know whythey’re doing something, they are much more likely to follow the plan.
8. Grant Access Only on an As-needed Basis
What access do your employees have? Do they need that access to do their job? Give them just enough room to get the job done. Extra access means extra liability. If by chance an employee’s account is compromised it shouldn’t grant the hacker an all-access pass to your business.
9. Make a Plan and Drill It
“Plans are useless, but planning is indispensable.” —General Dwight D. Eisenhower
Would you make an emergency evacuation plan and never test it? What if after a fire broke out, you discovered that your escape route was blocked by the floor reconfiguration that you did 2 years ago? That’s a BAD time to find out.
Planning for a data breach is no different. By making the plan you force yourself to walk through the possible scenarios that could come up. Then put that plan into action by drilling your team with it. Trust me, the difference between theory and practice here will shock you.
10. Hold Your Vendors and Partners to the Same Standards
Last but not least, once your house is in order, make sure that your vendor and partner are on the same page when it comes to data security. Share your security best practices with them and don’t be afraid to call them to a higher standard. After all, their failure falls back on you.
Still not certain what steps to take to protect your orginaization's valuable information in the disposition process,
feel free to reach out. Our team of ITAD specialists can help design a program to specifically meet your project needs.