Despite firms and individuals becoming increasingly conscious of the importance of cybersecurity, new analysis has revealed that inadequate disposal of data and digital devices is posing a potentially catastrophic threat.
Gone are the days where a good shredder was sufficient to keep documents and information from unwanted eyes. Data, and its storage, now goes right to the nucleus of any business – meaning that, in the wrong hands, it data can be destructive.
Simply deleting data from the hard drive of a device before disposal is not sufficient, according to analysis from professional services firm Alvarez & Marshal (A&M).
They conducted in-depth forensic analysis across six used devices purchased on an online marketplace. The analysis found sensitive and highly personal data on 80% of the devices.
The project’s aim was to expose the dangers of inadequate data disposal in business and private settings and demonstrate how failure to properly dispose of redundant IT equipment can lead to data breaches, which not only violate data protection laws, but can also result in financial fraud, with devastating impacts on companies’ finances and reputation.
A&M was able to recover 5,875 user-generated documents across the six devices. The majority of those items came from carved data (i.e., deleted data on the hard drives of the laptops), with a few documents still sitting on the hard drives, undeleted.
The vast majority of the data recovered by the A&M team contained highly personal and sensitive information; such as scans of valid passports, as well as various appraisal forms and job application forms detailing personal identifiable details including full names, National Insurance numbers, addresses, emails, date of births, and other sensitive data. In addition, 366 files analysed on the devices by the A&M team included business-related keywords.
Graeme Buller, Director at A&M, explained:
“The rise of bring-your-own-device (BYOD) and remote working are increasingly blurring the lines between personal and business use of devices, exacerbating concerns around data security and the lifecycle management of IT assets. While only 6% of the files recovered in our analysis contained business-related information, the very fact that they made their way onto these personal devices is sincerely worrying. If released into the wrong hands, even what appears to be small, harmless data can have devastating impact on a company.”
Other insights from the document recovery included:
- 155 documents had references to the term “invoice”.
- 100 documents had references to the term “court”.
- 84 files recovered contained the keyword “report”.
- 23 files recovered mentioned the word “appraisal”.
- Images were found that consisted of workplace building ID cards, salaries of employees, invoices, and other internal business correspondence.
- Of the 5,875 documents which were retrieved from the PCs, 366 files included work-related keywords and 4% contained residual data that had been improperly deleted.
- Web-related items accounted for 16% of overall data.
- 2,111 email items were found.
“What may be shocking to many is that the data we captured was done so using software that is actually publicly available to anyone. This highlights how vulnerable our devices really are (even when we believe them to be ‘clean’) and demonstrates the risk that fraudsters and other malicious actors with moderate forensics skills pose today. The key here is making sure all devices are wiped correctly and observe a rigorous data disposal management process.”
A&M shared five best practice tips when it comes to data disposal management:
- Strongly enforce data security policies: To prevent sensitive data from being transmitted outside of secure environments at the first place, company emails and documents should ideally be kept in a secure location and never saved locally to a machine or device.
- Establish and maintain a secure data destruction policy: There should be policies and procedures in place that relate to the secure destruction of data. There should be alignment between Legal, Risk, HR and IT departments to ensure consistent flow of information and to provide clarity around roles and responsibilities for those involved this process.
- Adapt policies for the new business reality: Data disposal policies must be updated to reflect the current remote working environment. New considerations should include how to ensure devices are handed back when an employee leaves the firm, or how to remotely wipe IT assets if they refuse to return the device or in case of loss/theft/replacement. One alternative is to create incentivised pathways for staff to dispose responsibly.
- Ensure all data is securely and effectively wiped: Deletion and formatting – including factory-resets – do not permanently remove the data from the devices. Data sanitisation practices including the use of specialist software should be introduced to ensure all data is properly wiped and cannot be recovered by hackers.
- Ensure companywide training: Ensuring all employees get sufficient training around data destruction, and indeed are educated on the correct way to save data, is key. This should be training across the board and regularly updated to remind employees of the correct procedures, especially as tech continues to evolve.
Join nearly 5,000 other practitioners – sign up to our newsletter