UK firms must learn to destroy confidential data when IT equipment reaches the end of its working life
Too many UK firms fail to destroy confidential data before decommissioning old IT equipment, placing staff, customers and partners at risk of fraud, or further serious security breaches.
This problem, say organisers of the Infosecurity Europe show, can only be solved through better education on security policies.
Out of sight, out of mind
Research released Monday by Privileged User & Infrastructure Management company, Osirium, shows that at least 40 percent of organisations are not confident that all their data is deleted before disposal of computers and that seven percent of companies in the Finance and Retail sectors didn’t delete data at all.
This, according to Claire Sellick, Infosecurity Europe‘s event director, makes it clear that something needs to be done.
“It speaks volumes that 7 percent of businesses in the finance and retail sectors do not delete their data at all prior to disposal of their machines. As well as being unwise, the businesses are almost certainly in breach of the Data Protection Act – which mandates that companies look after customer and similar personal data,” she said.
In a statement, Osirium said that corporate devices have varied levels of confidential data and company specific settings stored on them, and access credentials all of which are recoverable. “In the wrong hands it could be possible to not only gain access to the networks through recovered group admin credentials but also to compromise data which could constitute a serious data privacy breach,” said the company.
“Ensuring data deletion processes are followed to the letter is critical because if identified administration passwords turn out to be group administration credentials then it allows hackers to access other, similar, devices – and if these credentials are also used across multiple vendor devices then the risk is further extended,” added Osirium
“Even if organisations use IT asset disposal companies their data might not be deleted,” said David Guyatt, CEO at Osirium, “The companies offering these services are of course strong on disk wiping & disposal processes but do they have deeper knowledge of all the differing infrastructure devices, so they don’t overlook, or not even be aware of, something that needs to be wiped? I doubt it.”
“This Osirium research data confirms a study reported by Computer Aid International earlier in the month, which found that a third of major businesses have decommissioned computers containing data that are completely unaccounted for,” added Sellick.
Security a primary concern
The charity’s research, the Infosecurity Europe event director explained, found that 39 percent of the UK’s largest companies do not data wipe all their unwanted PCs and 57 percent could not account for all their redundant PCs.
And, although 68 per cent of respondents said that data security was their primary concern when decommissioning computers, only 61 percent actually wiped all the data from their redundant kit.
“Both sets of research point to the fact that a sizeable minority of managers are unaware of the reasons why they need to delete data from end-of-life computers, which suggests a blissful ignorance of the Data Protection Act. While our own observations at Infosecurity Europe are that, once IT professionals are trained to understand why they need to protect their data, they will take the necessary action to defend their digital data assets,” said Sellick.