ADDRESSING DATA DESTRUCTION’S GREATEST WEAKNESS

Employees are the heart of an organization–they’re the people that see to the day-to-day operations and interact with customers to ensure the success of the organization. As much as your employees are vital to your business, however, they can also (intentionally or unintentionally) pose significant security threats to your organization.

According to a cybersecurity study conducted by the Association of Corporate Counsel (ACC), employees are responsible for the vast majority of data security breaches. For all their guile, hackers can seldom infiltrate a security system that’s securely managed through a rigorous protocol, but that simply isn’t the reality of how employees operate. Employees have other duties to perform, they have personal stressors, they can grow bored with a task and grow careless–the list is endless, but the message is clear. Without substantial changes made to their working conditions, employees cannot be trusted to protect sensitive data.

The ACC’s study was conducted on the data security industry as a whole, but its findings are particularly pertinent in the world of data removal. Data destruction, as it stands today, relies on employees to not only destroy private information but to determine which files should be retained or erased. This judgement call can easily result in residual data slipping through the cracks and ending up in the hands of cybercriminals. If data erasure is to ever become secure, then even the most well-trained employees will need clear and express instructions on how to perform their duties.

Before we examine how to rectify this rampant data security weakness, it’s best to look at how employees improperly dispose of data and the effect this has on their employers.

Top Employee Errors with Data Destruction

The ACC’s report was clear that employees are responsible for data security breaches, but Verizon’s data breach investigation examined what employee errors were leading to these data breaches. Let’s take a look at some of the most common data destruction mistakes employees make to get an idea of where the solutions may lie.

1. Losing Hardware. Laptops containing private employer information are some of the most commonly lost and stolen items that employees own. 39% were stolen from the work area, presumably by other employees, while 34% were stolen from unlocked vehicles. Regardless of the reason, this carelessness has caused countless data security breaches.
2. Improper Data Disposal. Verizon found consistent usage of faulty data destruction methods when employees were instructed to destroy confidential information. These included things like non-user-friendly wipes and solutions that left residual data on the hardware.
3. Unclear Instructions. When investigating large-scale security breaches, Verizon found that most employees cited their reasons for not following security protocol as “lack of understanding” and “unclear directions.” Because of the poorly-articulated data security policies, these employees found themselves unable to protect vital company information.

Now that we have an understanding of how these data breaches come about, we can properly address how organizations can go about securing their data destruction policies.

Protecting Hardware

While an employee’s hardware may not rank the highest on a list of security concerns, the information stored on that hardware undoubtedly does. The current norm of the workplace is BYOD, so insisting that employees leave their devices at home isn’t a realistic solution. Thankfully, there are other changes in policy that can have a real impact on the security of employee hardware and, by extension, your private data.

One of the most common ways that professionals are complying with industry regulatory standards is by instituting a clean desk policy. This new take at protecting your organization’s sensitive files includes requiring employees to clear off their desks before leaving and provides clear instructions on how to protect hardware containing company information (not leaving it in plain sight, creating complex passwords, etc.).

These practices are vital to data security in general, but are especially relevant given the recent increase in insider data thefts. The SANS Institute provides a detailed description of how to institute a clean desk policy, but the takeaway is this–the protocol must be clear, actionable and enforceable. When these three criteria are met, a clean desk policy can substantially reduce your risk of losing private information due to simple loss of an employee’s personal device.
This policy will protect your organization from insider theft and carelessly misplaced hardware, but these practices will only ensure that the data is secure long enough to be erased. Once you reach the data destruction phase, however, you’ll need to ensure that that you’re not leaving residual data on decommissioned hardware.

Removing Private Data

At its core, data destruction is the simple erasure of private information. While this is a simple enough explanation, its simplicity is precisely why it’s so routinely targeted by cybercriminals–one mistake can crumble the entire system. If a single file is left after a PC has been decommissioned, it becomes unbearably easy for a criminal to recover that information and use it to ruin the organization. For this reason, it’s imperative that your data destruction practices be so tight that they’re beyond the ravages of human error.

One of the most common failings of data security is the reliance on sub-par data destruction tools such as faulty wipes. While there’s no shortage of unreliable data wipes out there, there are easily identifiable criteria of a good data wipe that you should look out for.

The biggest cue that you’ve found a good data wipe is that it meets your industry’s regulatory standards, e.g. HIPAA for healthcare organizations or the NIST’s regulations for financial institutions. Additionally, since human error is the most common cause of data breaches, a wipe that automates its processes is ideal. Only when your data wipe both meets your regulatory standards and cannot be subjected to human errors can you truly have a secure method of data destruction.

While it may seem difficult to find a wipe with these select credentials, Clarabyte is proud to offer a wipe that does all of this and more. Clarabyte’s data destruction tool, ClaraWipe, exceeds more than a dozen national and international regulatory standards and features a completely automated destruction process. Because of its ease of use and its tendency to surpass industry standards, ClaraWipe can be relied upon to remove private information from a PC before it’s ever unplugged. Of course, you should never rely upon any data destruction solution without properly testing it, which is why Clarabyte proudly offers live demonstrations to showcase how easy removing sensitive data can be.

Regardless of what data wipe you select, you’ll need to ensure that it’s up to your industry’s regulatory standards and can operate without relying on employee oversight. While these benchmarks will guarantee that your data is securely removed, that’s only half the battle of data destruction. The latter, and arguably more difficult, half rests in articulating to employees what information must stay and go.

Creating Clear Destruction Policies

While training employees to be competent in their roles is an admirable goal, it doesn’t solve their propensity for human error. Even the most well-trained employee can make an error in judgement, then suddenly you have information that wasn’t properly destroyed and is now a security liability. If education isn’t the key, then the solution must reside in drafting clear data destruction protocols.

When an organization creates a clear policy regarding how and when to dispose of data, it removes the most dangerous aspect of data destruction: judgement calls. Suddenly employees no longer have to worry about whether or not those files should be erased or retained–it’s all spelled out for them. This means that they can focus more on other duties without worrying about making the wrong decision and jeopardizing the organization’s data security.

While drafting a clear data destruction policy is essential to optimized data disposal, there are certain steps that must be followed when this policy is created. It must be, above all else, explicit in its instructions; for example, after reading the policy, your employees shouldn’t have to wonder about whether they should erase a certain file, since that information should be crystal clear. Moreover, the policy should, in the interest of adhering to regulatory standards, be written in the simplest language and thoroughly explained. While routine education is nice, it won’t be nearly as effective as thoroughly explaining the data destruction protocol.

Once these criteria are met, you will find yourself with a data destruction policy that is above human error. Your employees will not only be more effective in securing your data, but they’ll appreciate not having to agonize over whether their decisions will mean the end for their employer.

Bringing the Pieces Together

None of these defenses will be sufficient on their own, but when combined, they will substantially reduce the danger that human error can present to your organization. Through implementing clear policies to protect hardware, creating easy-to-understand data destruction plans and employing the services of reputable data wipes, you will suddenly find yourself able to go about your day without worrying about whether an employee will inadvertently ruin your organization. Your employees are there to ensure the success of your business, not to inadvertently shove it into harm’s way. Update your data destruction protocols to the industry standards, and you’ll guarantee that your employees are working with you rather than against you.

References

“Clean Desk Policy.” Sans Institute, June 2014. Web.

Kalman, Matthew. “Two-Thirds of Companies See Insider Data Theft, Accenture Says.”  Bloomberg, 26 June 2016. Web. 03 Feb. 2017.

“Legal Resources.” ACC Foundation: the State of Cybersecurity Report – Association of Corporate Counsel (ACC). 09 Dec. 2015. Web. 03 Feb. 2017.

“2016 Data Breach Investigations Report.” Verizon, 2016. Web.