Data Destruction Alone Won’t Cut It: Why Pre-Disposal Data Protection Falls Short
Organizations are increasingly adopting pre-disposal data destruction policies. This is a necessary step, but it is not sufficient to ensure data security. It is wise to encrypt or destroy data prior to disposal, as this will help to protect it from unauthorized access if it is lost or stolen in transit. However, even if data is encrypted or destroyed, a data breach can still occur if other safeguards are not in place.
For example, an organization may have a policy of encrypting laptops and other mobile assets. However, if the employees responsible for disposing of these assets do not follow the proper procedures, the data on the devices could still be accessed by unauthorized individuals.
Coca-Cola revealed that 55 laptops had been stolen over a six-year period by an employee responsible for disposing of the equipment. Coke had a policy of encrypting its laptops, but the employee was able to steal 55 laptops without encryption.
This incident highlights the importance of having a comprehensive ITAD (IT asset disposition) program in place. A good ITAD program will include policies and procedures for encrypting or destroying data, as well as for managing the physical security of IT assets. It is also important to train employees on the importance of following these procedures.
The most important thing to remember is that data breaches are caused by assets that slip through the cracks. By taking steps to protect all IT assets, organizations can help to prevent data breaches and protect their sensitive data.
Here are some additional tips for improving data security during IT asset disposition:
- Maintain Separation of Duties: Don’t allow the fox to guard the henhouse.
- Track IT Assets from the Moment They’re Acquired: Tracking IT assets from acquisition to disposition is crucial in ITAM.
- Treat Inventory Discrepancies with Due Regard: Procedures must be in place before assets go missing.
- Recognize That Encryption is Not a Silver Bullet: While encryption can prevent an incident from becoming a breach, it cannot prevent an incident from occurring and does not eliminate the requirement to detect and investigate incidents. Coke had a policy of encryption.
- Destroy Data Before Devices are Moved: 99% of problems happen before an ITAD vendor touches the equipment. No vendor can protect an asset it doesn’t receive.
- Use Disposal Tags: Tracking by serial number is not perfect. Disposal tags deter theft and prove chain of custody.
- Have Equipment Held: Never allow an ITAD vendor to resell or destroy equipment without first establishing the chain of custody.
- Not Sharing Inventory Reports with Vendors: ITAD vendors should not reconcile inventory since they have a conflict of interest. They should instead report what they get, and the data controller should reconcile.
- Automate and Outsource Inventory Reconciliation: Reconciling spreadsheets takes a lot of time and effort. Additionally, the outcomes of a manual reconciliation may be arbitrary and difficult for another party to confirm without starting over.
- Test Security Controls: An organization must implement and test safeguards in order to comply. Strong reconciliation procedures are needed to find lost assets. The inclusion of a fictional asset in each disposal inventory serves as a useful test of this control. It is necessary to mark this hypothetical asset as absent. There is a problem if the ITAD vendor reports receiving the fake asset.
By following these tips, organizations can help to protect their sensitive data and prevent data breaches.