The Risks of Not Having a Business Data Destruction Policy

Date September 22, 2021
Article Authors

Highlights from the September 23, 2021 webinar in the HBK Risk Advisory series, “Assessing Cybersecurity Risks,” hosted by William J. Heaven, CPA/CITP, CISA, CSCP, Senior Manager, HBK Risk Advisory Services, and featuring Jennifer Lamar, CEO, and Kevin Lamar, VP of Business Development, Northern Shore Services.

Businesses need to develop and maintain a policy for disposing of and destroying obsolete data, and often, the devices used to create and store that data. The webinar focused on data disposal and destruction techniques.

• Northern Shores Services provides third-party data disposal and destruction services including polices and procedures for identifying and destroying obsolete data, and where necessary, data devices. Services are provided onsite or off-site, and include auditable reporting, compliance, and secure data destruction.

• Data destruction/media sanitization defined: the process of eradicating data found on storage media, either by destroying the media itself or by rendering the data inaccessible.

• Case study: Morgan Stanley’s $60 million Office of the Comptroller of the Currency (OCC) civil penalty for failure to exercise proper oversight of the 2016 decommissioning of two wealth management data centers:

– The bank failed to effectively evaluate or address risks associate with its hardware

– It neglected to adequately assess the risk of subcontracting the decommissioning work.

– It lacked adequate due diligence in selecting a vendor and monitoring its performance.

– There were deficiencies in maintaining appropriate inventory of customer data stored on the decommissioned hardware.

– The OCC found the deficiencies constituted unsafe or unsound practices and resulted in noncompliance with “Interagency Guidelines Establishing Information Security Standards.”

– Downstream vendors included three players, one of which provided a certificate of indemnification falsely described as certificate of destruction. The data mismanagement came to light when a buyer of the old devices found Morgan Stanley data on the storage devices he purchased. Businesses must be sure their providers are doing what they say they are doing.

• Exposure to data issues are often related to:

– The introduction of new technology

– Required upgrades to existing equipment

– Changes in staffing levels and office locations

– Compliance with corporate IT policy revisions

– Revisions to business models based on industry regulations

• Benefits of data destruction and asset recycling:

– Freeing up digital space

– Removing outdated IT assets

– Eliminating environmental and safety concerns associated with storage of old IT assets

– Security: prevent a potential data breach by destroying old information

– Reducing the time spent securing old data and maintaining obsolete inventory

– Convenience: can choose destruction onsite or offsite at vendor’s location

• According to the National Institute of Standards and Technology’s “Guidelines for Media Sanitization” in publication 800-88 revision 1, it’s the responsibility of the information owners to identify data categories and confidentiality levels, and determine the level of media sanitization required for their organization.

• To determine the appropriate method for sanitization, the organization should:

– Categorize the security level of the information

– Assess the media on which it’s stored

– Evaluate the risk to confidentiality

– Determine the future of the media

• Do a cost-benefit analysis before determining your method of sanitization

• Assume that if you don’t know what type of data you have or where it’s stored, you’re exposed.

• Optical CDs, magnetic hard drives, flash-memory SSDs require different methods of physical destruction. More time is required to erase or overwrite a drive with more information. You must have access to the equipment and software needed to erase or destroy.

• An important factor in an organization’s sanitization decision is its responsibility for control over and access to its media.

• One organization can have several different data protection policies.

• Managers involved in developing a policy to accomplish information security include the CIO, the information system owner, an information steward, and a senior agency information security officer.

– A computer/information system security manager performs daily security implementation and administrative duties and coordinates security efforts.

– A property management officer ensures accountability for sanitizing media and devices to be redistributed internally, donated, or destroyed.

– A records management officer advises data owners of retention requirements.

– A privacy office provides guidance regarding privacy issues associated with the disposition of sensitive information. – Users must know and understand the confidentiality of the information associated with their assignments.

• Actions taken to sanitize media include clear, purge, and destroy.

– Clear: apply logical techniques to sanitize data in all user-addressable storage locations for protection against non-invasive date recovery.

– Purge: applies physical or logical techniques that render targeted data recovery infeasible using state-of-the-art techniques.

– Destroy: renders targeted data recovery infeasible using state-of -the -art lab techniques and results in the inability to use the media for data storage.

– Choose the action based on what eventually, ultimately preserves the confidentiality of the data.

• Documentation: Once sanitization is completed, a certificate of media disposition should be created—a hard copy or an electronic record. It should include:

– Media information: manufacturer, model, type, serial numbers etc.

– System information, such as property tag or ID numbers

– Sanitization description (clear, purge, or destroy)

– Sanitization method (degauss, erasure, crushing, etc.)

– Verification method (full, spot check, et.); if you use an erasure method, it must be verified in some way

– Date, time, and location

– Name, title, and signature of person performing the sanitization

• The format of the documentation is not as important as the content.

• Disposal/destruction techniques:

– Data wiping or overwriting: replacing data stored by writing meaningless data across the storage area

– Physical destruction: degaussing subjects media to an intense magnetic field with the intent of eradicating the data

– Shredding – using a strip-cut or cross-cut shredder to a specified particle size

– IT asset recycling – domestic recycling includes sorting, dismantling, mechanical separation and recovery of valuable materials

• Consumer data-bearing devices – if you dispose of, say, your smart TV, ensure your data is not still stored in it.

• A major hurdle to getting started on the project is identifying the information on the drive. Look at the age of the information and determine the type of information stored as a first step.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



GRC: Just Another Acronym?

Date October 8, 2019
Article Authors

Governance, Risk Management and Compliance (GRC) is a methodology that provides organizations with an integrated approach to cyber security maintenance. It is most efficient when executed in its entirety as a three-pronged but single initiative though they are often considered separately.

  • Governance is the process ensuring effective and efficient use of Information Technology (IT) to enable an organization to achieve its fundamental goals.
  • Risk Management is the process of identifying, assessing and managing risk as a way to help achieve an organization’s objectives and based on its tolerance for threats — in short, clearly establishing the company’s risk acceptance or risk avoidance.
  • Compliance involves adhering to accepted practices, rules and regulations within a business at an industry or governmental level –or both.

One should take a holistic approach to GRC, as with any control or protocol it establishes to mitigate a risk. That is, the cost to implement the control should be less than the cost of actual exposure to the risk being mitigated. This approach is expanded by GRC when an individual or business considers costs associated with non-compliance — namely, fines or penalties.

The culmination of Governance, Risk Management and Compliance occurs when IT policies help convert the desired behaviors of team members into a formal, successful cyber security plan.

HBK Risk Advisory Services can help you design and develop your own GRC program to protect your business. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. As always, HBK is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



New Bluetooth Vulnerability: Hackers Could Spy on You

Date August 27, 2019
Article Authors

Millions of us use Bluetooth wireless communications every day—to make phone calls when driving, with our fitness trackers, streaming at work or play. Innocent enough, seemingly. But no technology comes without a warning: a recently discovered Bluetooth vulnerability allows hackers to spy on your conversations or take control of your smart phone. The vulnerability deals with the encryption between two devices. It even has a name—a KNOB hack (Key Negotiation Of Bluetooth).

This is not the first time Bluetooth has been hacked and it likely won’t be the last. And this one has its limitations. To take advantage of the KNOB vulnerability the hacker has to be in close proximity of your phone. There is also currently no evidence that this vulnerability has been exploited maliciously.

Still, for the sake of cyber hygiene, take the following steps to protect yourself from a KNOB hack:
• Install updates for your smart phone as they become available.
• Remove devices paired with your phone that you no longer need or recognize.
• Turn off Bluetooth when you are not using it.

iPhone users can manage Bluetooth from the Control Center or within Settings, including removing Bluetooth devices at the information icon under the “My Devices” section in the Bluetooth Setting. Android smart phones have similar capabilities.

For more suggestions for strengthening your IT security postures, see our article “Cyber Hygiene: It’s a Real Thing”.

HBK Risk Advisory Services can help you with your cyber hygiene. Call us at 330-758-8613 or email me at WHeaven@hbkcpa.com. As always, we’re happy to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Is Your Anti-Virus Software Functioning as Intended?

Date June 4, 2019
Article Authors

Most people know basic information about anti-virus software and that it is crucial for cybersecurity. However, it’s often mistakenly believed that anti-virus software is the only cybersecurity defense component required to protect your computer system.

Anti-virus does play a very important role within a multi-layered cybersecurity strategy. However, we are providing this overview to underscore and verify that this component is merely one part of protecting your computer environment.

From a 50,000-foot view, anti-virus software operates in the following manner: it checks a table of known virus definitions with all the files stored on a computer system, in order to flag a potential virus. The flagging of viruses is achieved either through signature-based or heuristic-based analysis.

A file signature is a unique identifying number located in the file’s header that identifies the type of file and data contained within that file. Heuristics refers to an algorithm that is used to find previously unknown viruses (i.e. those not yet listed on the virus definition table).

There are two main anti-virus operational modes currently in use to check files on a computer system:

  1. Full System Scan. This mode also includes a “quick scan” or a check of files within which the file signature has changed since the previous Full System Scan, which runs on an automatic schedule or is manually enacted.
  2. Background Processing. This is the process that occurs (as its name indicates) and functions in the background on your computer by checking every file as it is opened. It is often referred to as “Real-Time Protection”.

There are many anti-virus options available to consumers, including both free and paid products. Virus detection rates vary among these choices and can fluctuate over time. Therefore, do not expect there to be only one solution that is consistently proven as the ultimate anti-virus product available. A consistent “Number One” has not yet materialized.

There are numerous anti-virus comparison sites searchable on the web. Also, it’s important to remember that if your anti-virus definition files are not updated regularly, or if the anti-virus function is disabled by users of your computer system, you may not be receiving the protection you assume.

Action Items:

  1. If you do not already use anti-virus software, research options within your price range and choose a solution that fits your needs.
  2. Implement the anti-virus software system on your network.
  3. Periodically ensure that your anti-virus software is running as intended. This means the virus definition table will be updated frequently and that it will be consistently used on all computers within your network.
  4. HBK Risk Advisory Services can assist you with your data backup or Cybersecurity questions and needs. Please contact Bill Heaven at WHeaven@hbkcpa.com

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Data Backup: Do You Have a Reliable Process in Place?

Date April 26, 2019
Article Authors

Most people know they should regularly backup their data. However, they often completely ignore this advice or, sometimes establish a data backup process without first verifying that the process works.

As our reliance on computers (and data) continues to increase, events such as an equipment failure, malware, a virus, ransomware, a user error or a disaster can result in significant data loss. The impact of a such a data loss could be devastating.

How long could your business remain profitable after a permanent loss of data?

According to a recent BBB survey of small businesses, only 35% of companies could remain profitable for more than three months following a data loss –and more than half would be unprofitable in less than a month.

There are two main backup categories: Onsite and Remote. Each contains multiple backup options. Within the main categories, the types of data backups are: full, incremental and differential. They are defined as:

  • Full Backup – A complete copy of all available data.
  • Incremental Backup – A copy of only the data that has changed since the last backup of any type.
  • Differential Backup – A copy of only the data that has changed since the last full backup.

Properly leveraging these backup strategies and solutions is critical to reducing exposure to potential data loss and disrupted operations. Additionally, periodic test your backups should be run to ensure that they are working properly and backing up data in its entirety.

Action Items:

  1. Research and choose the data backup category and type that you plan to use.
  2. Establish a data backup schedule (Backup Regularly).
  3. Periodically test your backup (Perform a Test Restore).

HBK Risk Advisory Services can assist you with your data backup or Cybersecurity questions and needs. Please contact Bill Heaven at BHeaven@hbkcpa.com

Speak to one of our professionals about your organizational needs

"*" indicates required fields



Don’t Pass on Password Managers

Article Authors

Recent Cyber Security industry statistics show that weak, default, or stolen passwords are involved in up to 80% of data breaches each year.

Passwords figure prominently in many areas of our daily functions such as logging onto work computers, doing online banking, sending email, accessing social media accounts and making most online shopping possible. A consistent, clear, repeated warning from Cyber Security experts and insiders is: creating complex passwords (i.e. comprised of both upper and lower case letters, numbers, and special characters) that are unique and lengthy is one way to ensure safe online activity.

Practicing healthy Cyber Security hygiene by implementing unusual passwords is outstanding in theory; it’s just that the average person has multiple password-protected accounts. Remembering which password aligns with each one of those accounts can be a challenge. That’s why using a password manager is helpful.

Advantages of Password Managers:

    1. It provides a centralized password storage location (i.e. vault) – with only a master password to remember.
    2. It is able to automatically generate strong passwords for all of your accounts requiring a password.
    3. It is equipped with strong encryption, which protects your vault.
    4. It can simultaneously support multiple devices.
    5. It offers the ability to safely store other sensitive information, such as credit card numbers, in the vault.

    There are several good, highly-recommended options to choose from such as LastPass, Keeper, Dashlane and 1Password. Be sure to research each of the tools you are considering before making your decision to ensure that you are comfortable with the features and capabilities of the password manager you ultimately pick.

    Action Items:

      1. Research and choose a reliable Password Manager.
      2. Choose a long and complex Master Password (Remember, with a Password Manager, you only need to remember one).
      3. Be sure to take precautions to remember your new Master Password such as selecting one that has meaning to you but does not necessarily lend itself to hackers.
        Note: This is important because most providers have little or NO ability to assist you with finding/resetting a lost or forgotten Master Password.
      4. Begin using your Password Manager as soon as possible and migrate all of your existing passwords to it.

      HBK can assist you with questions on this or any other Cyber Security topic. For more information, contact William Heaven at WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields