With close to 100% of efforts on data breach prevention being directed at the front end of a network, little effort is placed to secure data on an end of life IT asset when it is removed from service. Focus is primarily on firewalls, anti-virus, anti-phishing, spam, spyware, infiltration and exfiltration monitoring and many other safeguards.
In 2017, government agencies and companies of all sizes used a Maryland Cyber Security firm to destroy over 250,000 computer hard drives which contained several million records. These data containing drives had been on IT assets taken out of service and the secure data destruction of these records prevented costly data breaches.
Data centers, server rooms, and even desktops are protected with locked doors, password protection and secure areas. That’s not enough protection. When these highly protected IT assets are removed from service, many end up in unsecured closets, storage rooms or loading dock areas creating the potential for loss of the equipment, along with the confidential data, resulting in preventable data breaches.
According to the latest Poneman(1) study on data breaches, breaches are becoming very costly and the average cost, in the US, for a data breach was $225.00 per record.
The study also showed that ”… more organizations worldwide lost customers as a result of their data breaches.” A loss of 10,000 records could cost a company more than $2,000,000 PLUS loss of clients, company goodwill and client confidence.
Government agencies and NGOs must stay in compliance with the many regulations requiring the safeguarding of Personally Identifiable Information (PII) and other classified data. To make this happen, Frederick Maryland’s e-End specializes in keeping these entities in compliance with the numerous federal regulations related to safeguarding data and preventing data breaches. Regulations such as GLB, FACTA, HIPAA, SOX, FERPA, FISMA, COPPA and others affect all organizations. e-End follows NSA protocols for data destruction and they are one of only three companies worldwide with a AAA certification for a combination of specialized data sanitization and degaussing services.
The proper destruction of electronic data isn’t always as easy as it may seem. For the sanitization and destruction of magnetic and optical media, specialized equipment must be listed on NSA’s Evaluated Product List (EPL). Using non-listed equipment can place data at risk by not being 100% destroyed. NSA guidance related to Solid State Devices (SSDs), which include items such as cell phones, tablets and various other IT equipment, indicates the data cannot be 100% sanitized. A factory reset on devices is no guarantee all data is destroyed. Because of remnant data remaining on SSDs, e-End shreds all cell phones and other SSD memory followed by incineration. “When we sanitize and destroy data on all non-paper media, we can certify the data cannot be recovered by any means,” e-End President, Steve Chafitz stated.
In 2017, e-End destroyed data on over 250,000 hard drives. Working with government agencies, enterprise clients and various other companies of all sizes, e-End processed and provided certified recycling for two million pounds of unused IT assets.
“Even though we destroyed large amounts of data containing media and processed tons of unused IT assets, many companies are still not focusing on establishing proper policies and procedures to handle end of life IT assets and the data residing on them. Protecting data on old equipment can prevent a data breach,” Chafitz added.
Guidance from cybersecurity experts emphasizes the need for policies and procedures for an entire organization to abide by when it comes to protecting data and preventing data breaches. A single misstep in the protection of data can cause a catastrophic and non-recoverable event for a company.
1 Ponemon Institute© Research Report
e-End is a Certified Woman Owned Small Business that operates a secure facility in Frederick, MD. They specialize in destroying a wide variety of classified data and various controlled devices. This includes destruction of data containing media, destruction of ITAR controlled devices, IT equipment, and tactical military devices. e-End processes and recycles all end of life IT assets, medical and test equipment. They routinely destroy tactical weapons and body armor that has reached the end of its certified period of use. Steve Chafitz is a subject matter expert on the proper safeguarding and destruction of electronic media and the proper disposition of end-of-life IT assets.