We've all read about Target's security breach. It was the work of some incredibly sophisticated criminals who hacked into Target's own network.
While the theft of 40 million credit cards makes for sensational news, it's a drop in the bucket considering the millions and millions of PCs and servers and smart phones and tablets that are outside a company's network firewall. It's the 800 pound gorilla no one's talking about. The data is sitting there. No hacking necessary. Inside men need not apply.
Stealing personal data, as well as company and client secrets, is far more prevalent (and a whole lot easier) than you'd imagine. Here's why:
Beware the Recycled PC.
Have you been employed anytime in the past ten years? You completed an I-9 Form with your social security number, address, signature, date of birth and maiden name. Your data was scanned and/or input into a personnel system.
Your personal information is probably stored on a company PC, or in the cloud on a shared hard drive. Even if you've left that company, I'll wager your record still exists. Somewhere.
As an employee, the PC you use may have email addresses, sensitive data, company intellectual property and logins to client's accounts. Pretty normal these days for tens of millions of business computers.
When you upgraded to a new PC, tablet or smart phone, what happened to your old equipment? Was it donated to a charity? Maybe you got to take it home for your kids to use (not sure if your clients would want to know that). Or, perhaps, your company sold it on eBay.
Where's that data now? Was it properly destroyed? Just deleting the files won't wipe the drive clean.
According to cyber security expert Rocco D'Amico, president of Brass Valley in Milford, Massachusetts, there are a few important things employees and employers need to do.
"First off, as an employee, you have a right to know. You just need to ask your employer what their policy is. If the company doesn't have a policy, there's no better time than the present to put one in place," according to D'Amico.
We've been in the business for eleven years and work with large companies all across America that need to protect their data, and themselves. Many executives are surprised to learn that they could be ultimately liable for protecting that information.
When computer equipment is taken out of service it should be cleansed or destroyed. Companies like Brass Valley do this for companies or help them build systems within their facilities so they can do it themselves.
Most security breaches come from "off-network" equipment.
The Target incident is the tip of the iceberg because, depending on what studies you read, you'll find that most security breaches come from equipment that is not connected to the network.
One of the issues we find is that many companies look at decommissioning their IT assets as a revenue producing function first and a data security function second. A lot of times the equipment still has value so they'll try selling it on eBay, they donate it to a charity or give it to an employee, which is all great. But they don't necessarily understand how to properly erase or destroy data.
Tossing it in a dumpster isn't a good idea, either. I can tell you for a fact that when people see electronic equipment in a dumpster, like a computer or a phone, there's a tendency to grab it. It just attracts people. Bad people. Plus, for larger companies, there are environmental laws preventing this.
Just because the data is in the cloud, doesn't mean it's safer. The "cloud" just means a computer that's shared over the internet. There are still hard drives with data.
As D'Amico puts it:
Surprisingly, there's a general misunderstanding of best practices for the decommissioning of company data center assets. I don't think data center, cloud-type providers are being asked questions beyond the superficial.
Recently we were looking at using an online bill paying application. I started asking questions from this cloud-based provider about how they protected the data. It was apparent that no one had ever asked them these kinds of questions. And because of that, I think they got a little bit of an education.
Business Owner Decommissioning Checklist.
- As a business owner, understand your liability isn't necessarily severed once equipment leaves your building. You retain liability for protecting people's sensitive information. This falls in the various regulations like HIPPA regulations or Sarbanes-Oxley. If the business takes credit cards, PCI regulations come into play.
- Vet your recycler or whoever you sell assets to. They must be able to prove (with electronic or video records) what they did to dispose or recycle your equipment as opposed to just saying it. The golden question to ask is: What's going to happen when something goes wrong? It's usually the question that separates the men from the boys.
- One of the best things any business can do from a protection standpoint is to understand what they have, in terms of equipment, and in terms of sensitive information and where it's kept.
- Get educated. Brass Valley has white papers on the subject, as does The International Association of Information Technology Asset Managers (IAITAM), an industry trade association.
John Fox is the Founder and President of Venture Marketing. He writes about issues especially important to small businesses leaders.