WHY PAPER SHREDDING & FIREWALLS WON’T PREVENT A DATA BREACH

In a world of cloud storage and big data, we are all constantly reminded of information being collected all around us. Nearly every company, large or small, develops a policy or method for paper shredding. Sensitive documents like personnel records, financial statements, contracts, and leases need to be destroyed. While this information is in use, it needs to be protected in company systems by anti-virus software and security firewalls. Both physical and digital security are considerations covered under a data security plan. Whether it’s regulatory requirements or legal concerns, all companies should have a data management policy in place.

Paper shredding certainly isn’t new technology. Solutions are widely, and readily available in all industries at the click of a button. Most offices utilize their own commercial paper shredding equipment, seeing the value of secure data management when it is clearly evident as a tangible, physical item piling up in cabinets and records rooms.

In a digital world, however, our most precious data is no longer on paper. It’s on our computers, mobile devices, and external drives. During a device’s lifetime, the information is protected through password credentials, firewalls, and similar security measures. When these computers or tablets need to be retired, however, special care needs to be taken with the information and drives stored on them.

Third-party agencies can easily be found, eager for the opportunity to remove your end of life electronics. In most instances, when asked what their current in-house process for secure data management is, the answer is either “We have a guy,” or blank expressions that slowly transition into thousand-yard stares. This, of course, is a problem and becomes even more unacceptable considering the fact that legal liability for data breaches lies with the data controller, and cannot be passed to third party affiliates.

The confidential information of your clients is too important to be trusted with such responses. In order to truly safeguard their data, and to avoid a costly (in terms of finances and litigation as well as consumer confidence and public image) data breach, you must assume responsibility for this information even when the chain of custody is passed to downstream vendors.

As Technology Advances, So Should Your Processes

Taking control over your data starts with educating team members, decision-makers, and stakeholders on how to look for weaknesses and turn them into strengths. However, the rapid progression of technology means that the data solutions you relied upon last year are outdated and a liability today. Data destruction methods which were industry standards may no longer be sufficient for new media like solid-state drives. Improperly disposed of devices and drives are a cyber criminal’s dream, and this means that the sanitization techniques you or your vendors use must be fully up to date.

If you or your vendors are still relying solely on degaussing or similar methods to provide full-scale destruction, your information is at risk. Physical destruction and other methods should be considered to provide the highest degree of security.

Most Data Breaches are Caused by External Sources

If a third party is sharing or managing your confidential data, make sure you have done your due diligence. These downstream affiliates should be assessed on their cost-effectiveness, adherence to schedules, and reliability. Evaluate their security policies, secure access protocols, and how they test and validate which users have access to equipment with this sensitive data. If they are also responsible for destroying retired drives and devices, then their procedures and techniques should also be appraised.

Quality assurance measures such as system audits are standard practice. Requesting an on-site inspection is the best way to substantiate whether your vendors are operating to the required standards. This approach enables you to confirm their methods by investigating their data destruction protocols in action.

Constant Improvement

As your company adapts to the quickly changing landscape of new technology and takes advantage of what these tools provide, establishing better processes makes sense. If you’re evaluating the chain of custody and access to devices and data as the number one liability, the best first step is to have the data removed before a device is unplugged.

However, this will mean that your company will have to choose or develop in-house systems for sanitizing drives and destroying confidential information. This can be an intimidating project to take on, as complying with industry regulations and legislation, and integrating new technology or systems into existing company infrastructure, are complicated and highly technical tasks. However, if you are seeking to fully protect your company’s and client’s information, then it is a step you will have to take. Fortunately, Clarabyte’s suite of software solutions makes taking on these new functions easy. Our systems are designed to smoothly interface with your current computer architecture, reducing disruptions. Also, our staff is fully-versed in all the laws and guidelines relevant to data management in your industry.

Remove the data, remove the risk

Using a commercial tool that exceeds current international standards (even the Department of Defense has adopted the NIST standard in 2014, replacing the longstanding DoD standard all CIO’s know and love) that includes a detailed, automated, auditable report as well as verification to provide the best defense against a data breach narrows the field to only a few. Distilling it even further, Clarabyte’s tools are faster and easier to implement than the competition’s, and include mobile tooling compatibility, which mitigates any network infrastructure configuration that can, and will, inevitably interrupt your day to day operations and priorities.

In today’s criminal climate, data security needs to be a priority, not an afterthought. If your company has not recently examined its security plan, or, worse yet, if it does not have one, then it is gambling with the data it handles, with its credibility, and maybe even the ability to stay in business. Full protection means that your company must have the most up-to-date and appropriate data management and destruction solutions.

Take the self-assessment here and see how your firm stacks up.