Friday, May 8, 2009

State Secrets for Sale?

Just in case you might think that data theft is something that happens to a few hapless individuals who are lax with their Social Security number read this.

The latest results in a five-years-running study might prompt some to review data destruction policies. University researchers in the U.K., Australia, and the U.S. purchased 300 drives from eBay and other retailers, finding that 34 percent of disk drives still contained confidential data. Banking details, blueprints, patient records, employee data, embassy logs and details on a ground-to-air missile defense system were among the data left behind. Study leads at the University of Glamorgan in Wales say that over the past five years the volume of drives containing sensitive data has fallen, but the volume of data exposed has increased.
Full Story

In my efforts to assist businesses with their identity theft prevention programs one of the areas that we try to cover is the disposal of hard drives. This article illustrates how important this is. Whenever replacing drives or exchanging computers make certain that drives are disabled. The sure fire way to do that is to break the disk or drive a nail through it. Under certain circumstances the data on a wiped disk drive can be recovered. Flash (solid state) drives should be physically destroyed when they are taken from service.
Another issue in the workplace is photocopiers. A copy machine can store thousands of documents in its memory. Since most businesses lease commercial copiers it is essential that the machines' drives be wiped clean before returning it to the supplier. The service technician for the leasing company knows how to format the copier drives, and should do that prior to removing the machine from the clients' office.

1 comment:

Anonymous said...

Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.