(A story about two different CISO data security plans with real-world application of decommissioning hard drives and the threat of ransomware)
CISO Andrew Data Security Plan: Focused on Ransomware
When Andrew, in California, was appointed Chief Information Security Officer of his company in 2019, he felt a great sense of determination to protect his company from outside threats, such as hackers and ransomware. His CISO data security plan deployed all the best practices for front-end security and got all his employees on board through regularly occurring trainings.
Despite all his care in other areas, Andrew allowed his team to stockpile decommissioned hard drives when they reached end-of-life. Andrew’s team knew not to simply throw the drives away, but they had no long-term plan for the drives. Andrew’s company was growing and needed to move to a new facility a few miles away. At some point in the move, an entire box of hard drives went missing. The box was eventually found, but it had been opened and several hard drives were gone.
Andrew knew this constituted a data breach and that the company would be required to report to consumers that their data had been compromised. Still without a plan to address decommissioned hard drives, Andrew’s company continues to face an ongoing threat of another data breach. Andrew’s front-end is secure but his hard drive disposal handling is a weakness for the company.
CISO Claire Data Security Plan: Guarding against improper hard drive disposal threats
A new CISO in Arizona, Claire, acquired a stockpile of several hundred decommissioned hard drives when she signed on to work for her new company in 2021. Claire knew that the drives were a data security risk, and the consequences of mishandling are real and severe, including regulatory fines, lawsuits, and in some cases, criminal liability.
Claire invested in a Garner Products media destruction cart package to sanitize and destroy the drives. The destruction cart included a 20,000 gauss degausser and a physical destroyer with 10-tons of crushing force. The gauss force easily erased each drive of all data, and the destroyer provided visual confirmation of the sanitization process by bending, breaking, and mangling the hard drives. The degausser and destroyer Claire chose satisfies the data sanitization standards of the highest security entity in the nation, the National Security Agency (NSA).
Like Andrew, Claire worries about ransomware, hackers, and employees with poor security methodologies. She doesn’t however, worry about end-of-life media since she knows that degaussing is a complete and final method of data sanitization. There is nothing to worry about with a degaussed drive since the data simply no longer exists.
CISOs Andrew and Claire: The Takeaway
As a CISO, the data security risks you inherit are your responsibility to handle. You can focus on front-end threats, such as hackers and ransomware and ignore data disposal, or you could have a comprehensive protection strategy that encompasses threats at all stages of your information’s lifetime.
Garner Products designs media sanitization equipment, which include degaussers and destroyers. Degaussers erase all the information on a magnetic hard drive beyond all possibility for recovery. Physical destroyers destroy hard drives and solid-state drives (whose chips cannot be degaussed, but must be physically destroyed). Garner’s enclosed destruction cart (EDC) is an all-in-one solution for data disposal.
Click here to learn more about Garner’s enclosed destruction cart.