Security gaps you may be overlooking
While IT asset management can seem relatively straightforward, there are many areas in which a system can break down, potentially exposing your company to a data breach and significant liability. To avoid overlooking preventable security threats, keep the following considerations in mind.
IT INVENTORY CONTROL
For full control of your IT equipment, it’s critical to know where each device is located and who it’s assigned to. While this seems simple enough, maintaining full inventory control requires constant vigilance. You can start by creating a log of equipment by type, manufacturer, model and serial number. Include all devices that contain data such as desktops, laptops, printers, flash drives, mobile devices and more. This inventory list should be updated each time a new asset is introduced, moved or disposed of, with regular audits to verify device location and identify anything that has become obsolete or is ready for replacement. This practice will not only keep you in control of your assets, but also prevent data exposure from the prolonged use of outdated hardware or software.
ON-SITE DEVICE STORAGE
To minimize risk of theft and loss, you should arrange for secure, monitored, on-site storage when devices are temporarily out of commission (awaiting reassignment or repair) or slated for disposal. Limit access to only necessary personnel and implement a schedule to ensure devices do not sit for too long, which will prevent them from “walking away.” Locked security carts can also be used to collect smaller devices and hard drives in monitored areas around the facility prior to destruction.
With more employees working remotely than ever before, it’s important to account for the laptops, tablets, cell phones, and other devices being used outside of your office or facility. Along with having adequate endpoint security for anything that accesses your system, you should also enforce strict equipment disposal policies to prevent employees from trying to sell or recycle devices on their own. Without proper data destruction, private information could easily fall into the wrong hands. Box-programs that allow remote employees to mail in their devices to approved service providers are a good option to ensure secure destruction and maintain chain of custody tracking.
As devices become more and more intelligent, they collect increasingly vast stores of data, much of which remains hidden from the user. This data often presents a tempting target for hackers, especially when it is available from decommissioned devices. Finding hidden data isn’t easy. The data may be stored somewhere other than the hard drive. In some cases, the hard drive itself can be difficult to find. Depending on the type of system, it may even have multiple hard drives or onboard storage built into the motherboard. If you’re handling the destruction of confidential data in-house, be sure you have the tools and knowledge to find all data at rest. Often, it’s best to leave this task to professionals who are trained in performing these kinds of services.
The disposal phase is typically one of the most overlooked areas when it comes to data security. However, data breaches can occur long after a device has outlived its usefulness. Even if your employees erase data from their devices before discarding them, it’s highly likely it can be recovered. Whether you decommission IT assets yourself or through a third party, the information stored on those devices remains your responsibility. To establish a full chain of custody, your inventory counts will come in handy to reconcile items during the disposal phase and ensure everything is accounted for. This helps you maintain compliance with privacy laws and legislative requirements. If using a third party to resell or recycle your equipment, be sure to ask the right questions. Verify they are properly certified and that they have the capability and experience to find, wipe, and/or shred hard drives and other media that may contain data. They should also be able to provide you with a verifiable Certificate of Destruction and Recycling for your records, backed by industry certifications such as R2 and/or e-Stewards.
Security is an ongoing process that requires a commitment from every employee. The right attitude toward security practices and controls can make a huge difference in your vulnerability to breaches. To help uncover security gaps in your asset management program, you can take a free assessment quiz at www.seamservices.com/findthegap.
As Director of Business Development at SEAM (Secure Enterprise Asset Management, Inc.), Levi Hentges helps clients build and manage their IT Asset Disposition programs to comply with legal, corporate and environmental requirements surrounding their technology devices; including asset recovery and resale, data destruction and secure electronics recycling.