Who Should and Who Must care about STAD
The vast majority of current messaging around cyber is in the context of the world’s internet connected digital landscape. We don’t often hear about an equally important, and perhaps more vulnerable, front of the cyber war: unsecured IT asset disposition.
At the end of 2017, MCPc announced its plans to construct a Secure Technology Asset Disposition Center (STAD) in Cleveland. MCPc’s STAD is purpose-built to mitigate risk during the last phase of the IT lifecycle—effectively addressing the forgotten front.
Why SHOULD you care about STAD?:
If your industry is in the should category, the following are questions we recommend you ask of your business.
- Do you categorize the sensitivity of your end user data by the type of role the user has? Which employees access sensitive data on their device during everyday use?
- Does your e-waste strategy use different destruction treatments for hardware vs its onboard data?
- Do you have a formal agreement with your current e-waste vendor that stipulates how your data is being destroyed? Does it have escalating destruction assurance levels based on your data’s sensitivity?
When we ask our customers these questions we often expose gaps in their security posture. Security must be considered when managing e-waste. Poor e-waste security hygiene opens doors for risk. All industries manage sensitive data:
- Technology used in schools contains confidential information related to minors as well as personally identifiable information, like social security numbers, related to their parents and teachers.
- Information about recipients of chartable services, benefactors, gift amounts, and etcetera are digitally recorded. No member of those groups wants their information shared or compromised.
- IoT devices used to monitor parts health and maintenance schedules must be destroyed with extreme prejudice for security. Relaxed security enables theft. If a device is stolen its internal security protocols can be reverse engineered and hacked. That hack can be deployed to other like IoT computers making them susceptible to manipulation and corruption compromising passenger safety.
- Media and Broadcasting:
- Data stored on media equipment is inclusive of intellectual property, copyrighted materials, and various credentials used to access communication systems. Stolen credentials can be used to hijack a network for unauthorized broadcasts. Even worse, if access to an emergency broadcast system is compromised, there can be a false alarm similar to what happened in Hawaii recently. Creating mass panic is not something that is taken lightly.
Even though your company may not have to comply with industry specific data regulations sensitive data still resides on your devices. Not having mature data and asset destruction practices makes your sensitive data vulnerable.
Why MUST you care about STAD?:
If your industry falls in the MUST
category it’s likely you are already sensitive to its specific data security regulations. Even so, the asset disposition process is often an area of oversight when creating a compliant security posture. Don’t agree?
Our question to you is:
“Can you prove your current e-waste processes provide a high level of assurance your industry’s, your company’s, or your customer’s data security requirements are met?”
A data breach in regulated industries means fines.
In June 2016 Morgan Stanley Smith Barney LLC paid $1 million in penalties
for failing to protect customer information. The company was cited for having policies and procedures “not reasonable” to protect its database of confidential customer information.
Companies in the financial industry are required by federal securities laws to adopt written policies and procedures reasonably
designed to protect customer records and information. Computers, servers, and devices used by financial institutions eventually become e-waste. If a formal policy to protect the integrity of customer records and information contained on that e-waste does not exist, the institution can be seen as non-compliant and subject to penalties.
In March of 2012 Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million
to settle HIPAA violations after 57 unencrypted hard drives containing protected health information (PHI) were stolen. E-waste can contain PHI. Controls need to be in place to manage access and provide high assurance PHI data is securely destroyed when heath care industry technology is retired.
Starting in May all industries MUST care:
Regardless of your industry’s categorization, companies in every industry must care about the emerging regulatory compliance paradigm shift away from industry regulation and towards data regulation.
This shift comes in the form of the General Data Protection Regulation (GDPR
). GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union. GDPR compliance will be enforced starting May 2018.
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.
The data protected under GDPR is remarkably unspecific. Companies that do not interact with GDPR data will be in the extreme minority.
Furthermore, the penalties for GDPR non-compliance are designed to hit hard. Simply paying the fines to skirt around compliance is not an option when penalties can be up to 20 million Euros or 4% of “global annual turnover” (whichever is greater).
Come May 2018, regulated data will reside on the overwhelming majority of corporate devices. Maintaining high assurance of data security on all corporate devices—at every stage of the IT lifecycle-- is imperative.
Recently, Bob Eckman,
MCPc Chief Information Security Officer, spoke in depth about GDPR, what it means for US businesses, the significance of the fines, and the ways companies need to get organized now to be compliant with the regulations in May. A recording of the conversation will be published on MCPc.com later this month.