Data Hiding in Disposed Assets – Four Places to Look
This article has been contributed by Jim Kegley of U.S. Micro Corporation.
Destroying data before it leaves a customer’s location is the only way to guard against the inherent risk of shipping data-bearing IT assets. Equipment can be lost or stolen in transit, with potentially devastating consequences.
However, even onsite data destruction isn’t fool proof – it’s only effective if the professionals who perform the initial pick up are properly trained.
In an industry where even a single thumb drive could represent thousands of customer records, organizations must be sure that nothing slips through the cracks. That’s not as easy as it may sound since nearly every device in today’s IT environment can hide data.
One of the most important tasks of an IT asset disposition (ITAD) professional is to recognize assets and places that hide data. Below are four of those common hiding places:
1. Copiers and fax machines
Many copiers and fax machines have hard drives comparable to a desktop computer – and potentially hold just as much sensitive information. Consider how many important documents are photocopied every day in a typical office, as well as the type of information: tax documents, personnel records, financial records and more. Each record is potentially stored on the copier’s hard drive. Even some models from the 1990’s have hard drives. Fax machines also represent a threat, whether it’s a new model with a 40GB hard drive or an older machine with carbon copy technology that stores images of documents on thermal ribbons.
2. Monitors and keyboards
Newer monitors and keyboards have access points for thumb drives and SD cards so users don’t have to reach down to their desktop tower underneath their desk. It may be convenient for the user, but’s a liability for an organization if their ITAD vendor isn’t checking this equipment. Even a mouse is a potential SD card port.
3. Your closet
Too often organizations store equipment for extended periods of time before disposing of it. This increases the risk that assets will be lost, stolen or simply forgotten. Health insurance company Blue Cross Blue Shield of Tennessee learned this lesson the hard way when 57 loose hard drives containing sensitive customer information were stolen from a closet while awaiting destruction. They spent $7 million investigating the theft. The case underscores how much easier it is to lose track of individual hard drives, as well as the importance of vendors recovering assets intended for disposition in a timely manner.
4. Laptop bags
Old laptop bags are a common place to find thumb drives or SD cards misplaced or forgotten by a previous user. SD cards are especially dangerous and easy to overlook since they can be smaller than a fingernail while still holding massive amounts of information. Additionally, customer pickup sites often include boxes of old keyboards, cords, mice, laptop bags and more. All of this equipment should be thoroughly searched for storage devices.
ITAD professionals are almost guaranteed to miss data-bearing devices if they aren’t equipped to recognize which devices have hard drives or storage devices and which do not. Organizations should ask their vendor how they train employees and the process for keeping them updated on the latest technology trends.
Along with a rigorous, ongoing training program, U.S. Micro keeps its technicians current by maintaining a profile on all IT equipment that stores data, from 1990’s era fax machines to the latest SD docking mouse. This encyclopedia serves as a reference to help technicians recognize IT assets they might otherwise overlook.
We have a saying at U.S. Micro: if you don’t know what you’re looking for, you’ll never find it. Make sure your ITAD vendor knows what to look for and constantly educates its technicians on the latest security threats.
*
This article has been contributed by Jim Kegley of U.S. Micro Corporation. U.S. Micro disposes of more than one million IT assets annually, including serving Fortune 500 companies that demand the highest levels of data security and environmental stewardship.
About Martin Thompson
Martin is also the founder of ITAM Forum, a not-for-profit trade body for the ITAM industry created to raise the profile of the profession and bring an organisational certification to market. On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
He is also the author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management. In addition, Martin developed the PITAM training course and certification.
Prior to founding the ITAM Review in 2008 Martin worked for Centennial Software (Ivanti), Silicon Graphics, CA Technologies and Computer 2000 (Tech Data).
When not working, Martin likes to Ski, Hike, Motorbike and spend time with his young family.
Connect with Martin on LinkedIn.