As the CEO responsible for the day to day operation of your organization, what happens to your retired hard drives that contain data about your customers, employees and your company’s personal data?
Why is the disposal of your retired (old hard drives) drives put on the bottom of the list of importance or un-importance when it comes to data security. In fact in most cases your old hard drives will sit in storage until someone discovers them or needs extra office space and thinks, gee maybe it’s time to get rid of them. This chore in some cases is delegated to the junior person(s) in the IT department who thinks he is saving the company money by turning it over to a third party with the lowest bid, who in some cases just decided to get into the hard drive data destruction business because they have been destroying documents
Your old hard drives are the most overlooked items and the most under-protected assets within your organization, when it comes to data security for your customers, employees, and your companies trade secrets. What happens if there is a data breach and its discovered that it came from one of your old hard drives.
Well your board of directors will not be very happy, you could fire your CIO and put all the blame on him ( which has happened). Customer relations well there will be a sharp drop in sales and possibly large lawsuites.
Your CIO has to work with the budget he was given, so the disposal of those old hard drives is not really a priority. Why? Because like most businesses today, your CIO is too busy trying to keep up with the latest malware, ransomware and whatever else that is trying to hack into your systems along with the upgrading of an obsolete OS or apps along with the replacement of servers until the next budget.
You have heard the stories and seen the statistics time and time again about the costs of a data breach and of course the old saying it can’t happen to me.
…. the average per capita cost of a data breach in Canada is $250 and the average total organizational cost is $5.32-million.
There have been companies that have kept their old hard drives in storage for over eight years and have no record of those hard drives whatsoever.
Here are a few suggestions about keeping those old hard drives safe while stored on site.
1. As soon as a drive is removed from service; record the make, model, drive capacity and serial number of that hard drive along with the day, date time it was removed from service. The reason for removal and the name of the person(s) who removed it.
2. Make sure that you always know the exact number of hard drives you have in storage and whether they are kept on-site or at an off-site location
3. Depending on the size of your organization you want only the CIO and two to three employees only to have access to those retired hard drives and only with permission from the CIO (depending on the importance of that data)
4. Make sure that those drives are secured in a locked room specifically designed for the security of those hard drives and any other devices including a surveillance video camera.
5. Do not keep hard drives longer than six months to a year at most in storage. ( in fact those hard drives should be destroyed or the data erased immediately)
6. Do not turn your old hard drives over to a third party for disposal until they are either wiped or destroyed on-site with an employee who can verify the drives have been either wiped using Secure Erase or overwrite mode before turning them over to a third party.
7. Before an employee leaves your company make it mandatory that the hard drive from their laptops are turned into the company for data removal or destruction and any other devices such as cell phones supplied by the company.