Why the most advanced cybersecurity system isn't enough
By Greg Lever, Senior Vice President & General Manager, Asia Pacific, Iron Mountain
Tuesday, 06 December, 2022
A series of high-profile cyber attacks in recent months have shone a spotlight on the importance of data security for organisations.
The consequences of a cyber attack or breach can be far-reaching and potentially devastating, ranging from financial penalties and compensation to damaged reputations and broken customer trust. Such attacks should be taken as a stark reminder to C-suite leaders of how vulnerable their businesses are — even those with undoubtedly robust security defences can be breached.
Information security has never been more important. With a growing onus on business owners to protect their data and increasing data privacy legislation around the world, there is no room for complacency. But while cybersecurity is now firmly top of mind for the C-suite, many organisations still have a big gap in their security posture — how they manage their physical IT assets throughout every stage of their life cycle. Good asset life cycle management is foundational to effective data security because even the best cybersecurity system can be futile if you do not integrate, maintain and, most importantly, decommission or dispose of your hardware and devices securely.
Best practice for keeping an eye on your assets
Minimising organisational exposure to risks and liabilities requires visibility and control over all of a business’s assets, both virtual and physical. With the boom in remote working adding to the challenge of keeping track of the devices going in and out, it is more critical than ever to follow IT asset management best practices.
Ongoing surveillance, maintenance and risk mitigation of all assets is essential. The first step is to develop a robust asset register that documents every piece of hardware introduced into a business, its purpose and who is responsible for it. The register should also monitor the equipment’s performance, health and protection, making sure that security applications are working and up to date.
All physical assets should be password protected, preferably with a forced password change policy in place, and when the software on a device is no longer supported by the manufacturer the device should be upgraded. Using a patch management program that regularly scans for any security flaws across all assets, and any updates necessary for maintaining regulatory compliance, is key.
Perhaps the most crucial part is the end-of-life stage. End-of-life IT assets, known as e-waste, are the fastest growing waste stream in Australia, and there are criminals who salvage old hard drives from landfills or purchase recycled IT equipment with the intention of recovering data from them for their own illicit gains. For this reason, it is vital to implement an asset disposition process that tracks the chain of custody and ensures that data is effectively wiped from disused assets. This should be the very first step in the retirement of any asset, yet it is not as straightforward as many people think.
What secure ITAD looks like
IT asset disposition (ITAD) should follow a well-defined protocol of a trusted chain of custody, comprehensive data erasure and dismantling into components for repurposing or recycling, or otherwise complete physical destruction. Though it is a common misconception that erasing data is as simple as deleting files or reformatting a drive, in truth, such methods do not guarantee the full deletion of data at all. Specialised data scrubbing software must be used and, when destruction is required, the asset must be physically destroyed to the point that it is impossible to recover any data from it.
Working with a third-party contractor to complete the disposal process can be beneficial in ensuring that data is correctly and thoroughly wiped. However, it is important to ensure that any suppliers are adequately certified to verify complete data erasure, and provide proof of adequate physical destruction or dismantling of the asset. Non-compliant data erasure methods will leave the asset vulnerable to data recovery that is easily achieved with specialist software.
Certified third-party suppliers should offer a secure and fully visible chain of custody, from the moment they take possession of the asset through to when the destruction of the item is complete. Ideally, this will involve real-time asset tracking in which the asset is scanned and logged onto a system at every stage of its journey until disposal is recorded.
Once the asset is destroyed, you should expect to receive a certificate of erasure and a certificate of destruction for each asset. Following this process reduces the risk of equipment going missing and provides peace of mind that the asset has been disposed of properly.
Cybersecurity is the chief concern in many boardrooms today, but vigilant management of physical assets must never be overlooked. The most advanced cybersecurity system in the world will not be enough to protect your data if a piece of hardware containing sensitive information finds its way into the wrong hands. Asset life cycle management (ALM) is core to any data security framework in the digital age and is an element that no business can afford to be careless with.
The need for mental health support within the cybersecurity profession has been evident for quite...
Collaborating with industry stakeholders to devise a ransomware reporting obligation is a key...
With the ever-increasing speed and sophistication of cyber attacks, we need speed, scale and...