Cyber Security News

How Dumpsters Cause Data Breaches

 

After a laptop breaks, where does it go? Your old work laptop, perhaps too slow to keep up with the growing pace of the Internet, is retired to the IT department, which issues you a nice, shiny new one. But what about all of your old files? Your data? Your client information? It might have been transferred onto your new machine, but are you certain that it’s not still lurking on your old one?

The problem lies in the mindset, according to Kyle Marks, CEO of Retire-IT, an IT asset disposal company.

“There’s no fox watching the henhouse,” he says. “In the industry, we say that ‘Laptops have legs.’ Any asset with reuse or resale value is at risk. This is a people issue, not a technology issue.”

And while many security professionals are not yet directly involved with IT, (according to the 2012 Security 500 report, only 21 percent of CSOs report being responsible for cyber or IT security) they are involved in asset management and theft prevention.

Employee theft tops the list of risks associated with IT asset disposal, and the problem is – many employees think of it as a victimless crime.

“You’re going to throw the machine away,” Marks says. “So IT employees sometimes help themselves to the equipment. But they take it while data is still on the machine, and they can cover their tracks because they know how that organization’s disposal program works.

“You might spend millions protecting data from hackers, but one old computer carries billions of dollars in liability risk,” Marks adds.

While employees might not be necessarily targeting the data itself, stealing the hardware is still a data breach, with the potential to raise costs dramatically. HIPAA violations, for example, could cost millions of dollars per hard-drive that goes missing.

And that doesn’t just apply to laptops, says Karrie Gibson, CEO of Vintage Tech Recyclers. Data loss can occur from CDs, DVDs, flash drives and even printer/copiers, which have hard-drives that can hold data of every printed document.

“The Average Joe only needs three things to gather information off of old devices,” Gibson says. “Want and need, software, and a little expertise.

“You have to check with your IT department and your recycler about the depth of data destruction they use. Ask what software they’re using, how many times they cache data, and their data security procedures. How will they handle your equipment once it’s there? How would you bring it to the facility?” Each step is an opportunity for a breach, she says, so knowing where the weak spots are for each third party association helps security professionals conduct a more thorough risk assessment.

Marks recommends putting strong policies in place, and making sure to enforce them (“An unenforced policy is not a policy,” he says). But first, a shift in mindset is required.

“HIPAA and HITECH are extended to associates and downstream vendors,” Marks says. “There are tiers of security breaches, but the most costly is willful neglect. You’ll get increased penalties, and plaintiff attorneys just get more fuel.” So even after paying for remediation and sanctions, organizations face a whole other wave of litigations from plaintiffs at an average of, Marks says, $1,000 per record.

“At this point, it’s not just an IT problem – it’s an issue of governance, risk and compliance,” he says. Sometimes, you have to take the “IT” out of “IT disposal,” and mitigate the security risks directly as a loss management problem.

Creating a reverse procurement process is the most surefire way to keep tabs on old equipment and avoid litigation, according to Marks.

Legally, organizations should have adequate controls to avoid equipment and data loss. Barcodes or “disposal tags,” Marks says, help to create an unimpeachable chain of custody and the ability to quickly reconcile inventory. For example, if an IT manager scans 14 laptops to be moved to a recycling facility, but the delivery person only scans 13 when they are loaded onto the truck, it’s clear that a breach occurred and within a very short period, cutting down on the timeframe that security professionals would need to investigate.

Also, Marks says, every IT department should have a policy to destroy data before assets are moved or disposed of. The vendor used to dispose of the equipment itself should be regarded as a secondary safeguard.

“There are 3,000 electronic recycling vendors,” says Gibson, “but only 300 are voluntarily certified.” That certification means having an open-door, open-information policy, and Gibson also subjects her company to a third-party audit every month, which tests individual hard-drives to recover any possible data.

Gibson also says that, following the NIST-800-88 data security standard, hard-drives are written over no fewer than seven times, and the devices are dismantled – removing any potentially toxic components – then shredded and crushed into mill-ready product.

“Whole units should always be tracked,” Gibson says. “Your third-party vendor should always be able to produce a product flow chart of where a device is at any given time.”

This goes back to asking every potential third-party vendor those difficult questions about how they treat assets that organizations send to be destroyed. A commonly used program – “Darik’s Boot and Nuke,” says Gibson – is free erasure software from the Internet that does not guarantee the full deletion of hard-drive files. While certified services might cost more (ranging up to $250 per hard-drive), they offer more services, transparency and accountability, she adds.

Even if a laptop is entirely broken, the hard-drive could still have enough data to cause serious compliance complications. By wiping and writing over the hard-drive before destroying it, that data moves further and further out of danger.

“An ounce of prevention here is worth billions,” Marks says. 

 

 

Why Recycle?

Proper disposal or recycling of IT isn’t just a good environmental decision (although that plays a major part), it’s a law.

The average American owns approximately 24 electronic devices, according to the Consumer Electronics Association, and in 2007, 2.25 million tons of televisions, cell phones and computer products were disposed of. Eighty percent of those ended up in landfills.

Now, in 2012, throwing these electronic “scraps” into landfills does not just result in bans, but fines as well, Gibson says. Precious metals and toxic substances such as mercury, lead and chromium are often found within electronics, which can cause serious harm to the environment, she adds. Some recycling companies save money by sending their scrap to foreign landfills instead of recycling it domestically (for more information, Gibson recommends the 60 Minutes special “The Electronic Wasteland” VIDEO).

Some states are working to ease the pain of IT recycling – New York covers 17 devices, offering vouchers or credits to recycle free. Others, such as Illinois, only cover residential recycling.

However, the Environmental Protection Agency (EPA) is working with several companies (including Gibson’s) to promote IT recycling through its Sustainable Materials Management (SMM) Electronics Challenge. Companies pledging to this cause – including Panasonic, Sony Electronics and Dell – send 100 percent of their used electronics to a recognized third-party, certified recycler by the third year of their participation, helping to increase the number of devices collected.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Claire Meyer

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+