Obsolete Technology has Become a Security Risk
Managing obsolete technology and out-of-date electronic hardware has become a critical aspect of information security for all organisations.
A notable data breach incident at an NHS hospital is a good example of why it’s so important to properly dispose of hard drives.
A few years ago, the hospital shipped a number of computers to a company that had offered to take care of the hard drive destruction in exchange for keeping salvageable materials. But almost a dozen of those hard drives ended up for sale on an internet auction site. The data breach was discovered when someone purchased a second-hand computer (not knowing it was one of hospital's) and was able to recover the health records of 3,000 of the hospital’s patients from the hard drive.
Here’s why hard drive destruction and care for obsolete technology is an information security best practice.
- Protecting confidential information is the law. Every sector today has data protection laws that govern the secure destruction of information when it is no longer needed. The document management process should track what personal information is collected, how it is used, where it is stored, and how long it must be retained.
- There are fines for non-compliance. The hospital was fined £200,000 by the Information Commissioner's Office after the data breach. Fines vary depending on the severity of the breach but can be up to £500,000. The overall average cost of a data breach in the UK is £2.53 million, once costs such as lost business and damage to reputation are taken into account.
- ‘Free’ disposal is not a good deal. According to reports, the NHS hospital made a deal with a company that offered free disposal of computers in exchange for all the salvageable materials. But hard drive destruction has to be a secure and contracted process. Partner with a reliable company that has a good reputation, and a secure chain of custody.
- Stockpiling hard drives increases the risk of a data breach. The Shred-it State of the Industry Report 2016 showed that 73% of small and medium business owners (SMEs) only dispose of hard drives, USBs and other electronic devices containing confidential information less than once a year or never.
- ‘Recovery’ software is widely available. According to a 2016 Ponemon report, improved hacking tools have made information theft easier, faster, and less expensive for hackers. In the past two years, 64% said the tools are highly effective. Other research has shown that data is recoverable from hard drives that have been wiped or degaussed.
- Some companies are not committed to information security. In the 2016 Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data by Ponemon, 41% of healthcare organisations said third parties cause breaches while 52% of business associates blamed third-parties. Third parties must be vetted for their information security best practices.
- Destruction method is critical. The document destruction company should utilise industrial grade destruction equipment. Physical destruction of hard drives ensures information is unrecoverable.
- There should be a record of information destruction. Along with a secure chain of custody processes, a certificate of media destruction should be issued after every destruction service.
Protect all aspects of the workplace by implementing data security best practices across the board, including making sure information from obsolete technology doesn't get into the wrong hands by introducing secure hard drive destruction.