Why Obsolete Technology Has Become a Huge Security Risk
Managing obsolete and legacy electronic hardware has become a critical aspect of information security for all organizations.
A data breach incident at NHS Surrey Hospital in the U.K. is a good example of why it’s so important to properly dispose of hard drive.
A few years ago, the hospital shipped a number of computers to a company that had offered to destroy the hard drives in exchange for keeping salvageable materials. But almost a dozen of those hard drives ended up for sale on eBay. The data breach was discovered when someone purchased a second-hand computer (not knowing it was one of NHS Surrey’s) and was able to recover the health records of 3,000 of the hospital’s patients from the hard drive.
Here’s why properly destroying a hard drive is an information security best practice:
- Protecting confidential information is the law. Every sector today has privacy laws that govern the secure destruction of information when it is no longer needed. The document management process should track what personal information is collected, how it is used, where it is stored, and how long it must be retained.
- There are fines for non-compliance. NHS Surrey was fined £200,000 ($300,000 US) by data regulators after the data breach. Fines vary depending on the industry sector. Financial reporting companies that do not comply with the Sarbanes-Oxley Act, for example, risk multi-million dollar fines.
- ‘Free’ disposal is not a good deal. According to reports, NHS Surrey made a deal with a company that offered free disposal of computers in exchange for all the salvageable materials. But hard drive destruction has to be a secure and contracted process. Partner with a reliable company that has a good reputation, and a secure chain of custody.
- Stockpiling hard drives increases the risk of a data breach. The Shred-it State of the Industry Report 2016 showed that 60% of small business owners (SBOs) only dispose of hard drives, USBs and other electronic devices containing confidential information less than once a year or never; 76% of C-Suites indicate they destroy hardware every two to three months.
- ‘Recovery’ software is widely available. According to a 2016 Ponemon report, improved hacking tools have made information theft easier, faster, and less expensive for hackers. In the past two years, 64% said the tools are highly effective. Other research has shown that data is recoverable from hard drives that have been wiped and degaussed.
- Some companies are not committed to information security. In the 2016 Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data by Ponemon, 41% of healthcare organizations said third parties cause breaches while 52% of business associates blamed third-parties. Third parties must be vetted for their information security best practices.
- Destruction method is critical. The document destruction company should utilize industrial grade destruction equipment. Physical destruction of hard drives ensures information is unrecoverable.
- There should be a record of information destruction. Along with a secure chain of custody processes, a certificate of media destruction should be issued after every shred.
Protect all aspects of the workplace by implementing data security best practices across the board.