Sponsored
Data Security and Third-Party IT Asset Disposition – a Paradox
Exponential risk is associated with trusting an outside company to handle sensitive information.
Data security is a hot topic these days, and for good reason. Data breaches affect the privacy and security of individuals, businesses, and governments while costing the breached organization extensively. Costs include everything from covering credit monitoring for affected individuals to settling lawsuits to lost business and reputation. And let’s not forget damage to the US Federal Government in the event of exposed sensitive information, the cost of which is incalculable.
According to Soha Systems Survey on Third Party Risk Management, 63 percent of all data breaches are linked to third parties such as vendors, contractors, or suppliers, while only two percent of IT professionals consider third-party security a top concern. Clearly, the criticality of data security throughout its lifecycle, including end-of-life which is typically either controlled by a third-party IT asset disposition company or ignored altogether, cannot be overstated.
It is easy to illustrate the severity of data insecurity resulting from third parties. Ghana, well known to be one of the top sources of cybercrime globally, is home to Agbogbloshie, a digital graveyard on the bank of the exceedingly polluted Korle Lagoon. This area, known as Sodom and Gomorrah by outsiders, is one of many computer and electronics landfills around the globe. The discarded equipment found in Agbogbloshie comes from developed nations around the globe including the United States. The residents have learned to salvage the devices or their parts to turn a small profit, but the real threat comes from the organized crime in the area that scours the drives for personal or sensitive information to use in scams or blackmail.
As part of an investigation into this digital dumping ground, journalism students from the University of Vancouver, British Columbia purchased seven hard drives at a cost of $35 from an Agbogbloshie e-waste dealer. What they found was shocking: credit card numbers, social security numbers, bank statements, as well as personal information and photos. They also retrieved a sensitive $22 million dollar U.S. defense contract from U.S. military contractor Northrop Grumman’s hard drive, which also contained sensitive contracts with NASA, the Transportation Security Administration (TSA), and Homeland Security. And all of this came from just seven hard drives.
When disposing of end-of-life data, many companies turn to data disposal or recycling vendors and assume that their drives — and the data they contain — are being handled responsibly and safely. The reality is far different. While there are certainly many reputable data sanitization companies, it is just too risky to entrust sensitive information to any third-party, simply because of the unknown. In addition to sloppy or greedy third-party IT asset disposition companies, there are a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber criminals specifically so they can mine the data they contain for illicit activity.
The only truly secure method of IT asset disposition is in-house drive destruction. The National Security Agency has long known this truth and requires rotational platter-based hard drives to be both degaussed and physically destroyed prior to disposal. Not only does drive destruction through crushing, shredding, or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling, leaving a smaller quantity of true waste and less likely to end up in Agbogbloshie.
Brought to you by:
