Inadequate electronic disposal protocols can lead to security leaks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/secworld.php?id=16079

American IT departments' decisions could inadvertently put organizations at
risk of an information security breach if they don't have sufficient
protocols for the disposal of old electronic devices.

Even those with established processes could unwittingly initiate a security
leak if they rely on wiping or degaussing hard drives, or handing over
their e-waste to an outsourced recycler. Worse yet, some organizations
might be stockpiling old technology with no plan at all.

Despite the many public wake-up calls, most American organizations continue
to be complacent about securing their electronic media and hard drives.
Processes and protocols surrounding the destruction of electronic devices
have been slow to adapt to new reality: that businesses large and small are
increasingly dependent on digital information.

Congress is hoping to hold businesses accountable for the protection of
confidential information with the introduction of the Data Security and
Breach Notification Act of 2013, which will require organizations that
acquire, maintain, store or utilize personal information to protect and
secure this data. However, legislation only goes so far and American
organizations of all sizes must be more vigilant to protect themselves from
a data breach that could damage their bottom line, with the prospect of
losing revenue, reputation or clients.

To mitigate the risk of fraud, businesses should consider the following
tips:

Think prevention, not reaction. There is no one-size-fits-all data
protection strategy. Develop preventative approaches that are strategic,
integrated and long-term, such as eliminating security risks at the source
and permanently securing the entire document lifecycle in every part of
your organization;

Be security savvy. Put portable policies in place for employees with a
laptop, tablet or smartphone to minimize the risk of a security compromise
while travelling;

Protect electronic data. Ensure that obsolete electronic records are
protected as well. Simply erasing or degaussing a hard drive or photocopier
memory does not remove information completely—physically crushing the
device is the only way to ensure that data cannot be retrieved;

Create a culture of security. Train all employees on information security
best practices to reduce human error. Explain why it's important, and
conduct regular security audits of your office to assess security
performance.

"For every desktop computer, printer or mobile device purchased, there
should be a secure disposal plan for outgoing technology," said Michael
Collins, Shred-it Regional Vice President. "More often than not, those
devices are loaded with sensitive company or customer information that is
recoverable if the hard drives aren't physically destroyed."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.