“Don’t panic, it’s only a data breach.” Are those words that you would ever hear? Certainly not, because when there is a data breach while panic may not be the optimal reaction it more often than not is the reaction.
A data breach can cause shock waves through a company and even a community. Just look to the example of Santa Clara Valley Medical Center who had to notify 571 patients that their information, including birthday, age, sex, and even specific medical results, was compromised after a laptop had been stolen from their location in San Jose, California. 571 individuals concerned about identity theft and their information in the hands of criminals all because one laptop was stolen.
According to information obtained by Symantec, theft or loss was the top cause for data breaches second to criminal hacking. The study, done in 2011, revealed the combined statistics from theft and hacking resulted in over 200 million compromised identities.
So if theft is number one and hacking is number two, it is safe to say that companies must defend themselves sufficiently against both aspects. HR and the department heads of IT must consistently be planning and implementing procedures to mitigate risk from both loss and criminal activity. From demanding that simple procedures be followed such as shutting down computers so passwords are required on start up, locking down offices after work hours, to training on the importance of keeping mobile assets secure everywhere they go, companies must arm themselves with every means possible to take care of data that is stored on-site at the firm.
As an IT Asset Disposal vendor operating since 1999 we have found that assets at time of disposal are at an increased risk to theft. When assets are retired and not properly secured, stored, and accounted for negligence can lead to a low tech data breach in the form of missing, lost, and stolen media.
The first step to ensuring loss and theft does not affect your data security is to take accurate inventory of retired assets. Once this is complete assets should be kept in a locked room or cage until sanitized or serviced by an approved disposal vendor. For highly confidential media santization or destruction should take place prior to disposal of equipment. Receiving logs and inventory audit reports from disposal vendors should then be used to cross reference serial numbers to your firm’s asset management records. Many companies may have excellent data sanitization processes but neglect the serious threat of theft prior to the completion of data destruction due to real estate, space, and other logistics obstacles.
In the Ponemon Institute’s and Symantec’s Report “2013 Cost of Data Breach Study,” the numbers regarding the costs associated with a data breach are frightening:
US Cost per Record: $188
Average Records per US Breach: 23,647
Average US Data Breach Total Cost: $4,445,636
Average Cost Due to Lost Business: $3,030,814
In response to these alarming figures companies can also mitigate risk by implementing a policy regarding data destruction using a firm that will monitor, guard, and provide proof of destruction through Department of Defense compliant data eradication methods.
The U.S. Department of Defense (DOD) has established a National Industrial Security Program Operating Manual that various Federal Government Departments must use including the Department of Defense, Department of Energy, and CIA. The program describes the methods and systems by which classified information must be secured. Through this data destruction protocol, information is kept secure from acquisition through destruction.
Disastrous results can be avoided through strict adherence to safety and security policies both on-site and after the sale of IT equipment. Informing customers and employees of a data breach is the last thing any company wants to have to do. Customers will be lost and employees’ trust will be diminished. To avoid these issues company heads must plan accordingly, take action, and choose wisely when selecting vendors to help with security needs.