Erase Any Trace
The security of confidential data is obviously one of the most important technology issues faced by insurers in this day and age. Fortunately, technology providers offer a variety of ways to help safeguard data from unauthorized intrusion.
Unfortunately, data may also reside in places that are not protected because they are incidental (portable drives), discarded as being archaic (old media or drives from old laptop or desktop PCs), or — worse yet — forgotten.
When most of us think about data loss vulnerability, we think about holes in our firewalls; network problems like Heartbleed (the well-publicized bug that allows attackers to steal passwords, credit card data, Social Security numbers, etc.), or the human frailties that may give rise to social engineering scams. While these are certainly important, however, it is also vital to give some thought to all of the places where potentially valuable data might be stored within our enterprises and within our walls.
One way to address this challenge might be to begin with an inventory of hardware and storage devices on your premises. This would probably involve contacts with virtually all employees, and a thorough investigation into where virtually any company data has been stored. Once you find the devices, it’s a sure bet that some of them will be old, outdated, or otherwise rarely used.
You could then take the time to wipe the data from the drive of each and every storage device (multiple times if you want to make sure it can’t be recovered), or you could take a more draconian approach — just destroy the drives and/or media.
Of course, taking the time and effort to find and destroy every piece of data storage media and hardware within your walls could be a challenge in itself. Some technology vendors, however, will be more than happy to help in this process.
Data Security Inc. of Lincoln, Neb., for example, markets a line of devices designed to destroy both solid-state storage media and hard drives. You can even choose between a manually operated destroyer (uses no electricity) and an automated electric-powered option. The end result is always the same: The unwanted drives and media are crushed beyond any danger of recovery.
“When exposed to the powerful magnetic field of a degausser, the magnetic data on a tape or hard disk is neutralized, or erased.”
Another option to completely erase data-bearing media is degaussing. Degaussing, said Data Security, is the process of reducing or eliminating an unwanted magnetic field (or data) stored on tape and disk media such as computer and laptop hard drives, diskettes, reels, cassettes and cartridge tapes.
“When exposed to the powerful magnetic field of a degausser, the magnetic data on a tape or hard disk is neutralized, or erased.” Degaussing is the guaranteed form of hard drive erasure. As such, it serves as the standard method of data destruction, the company claimed.
They added that once a hard drive has been degaussed, it can be recycled for its precious metals, thereby helping to pay for the process (the cost of a degausser may be $2,000 or more, but the units may also be rented).
“Recycling companies are often willing to purchase degaussed/damaged hard drives. Complete hard drives provide a higher recycling value than shredded hard drives,” the company said.
Insurance data has value to both our customers and to crooks who steal this information and resell it on the black market. Destroying or degaussing unused media and drives may seem extreme, but it does close significant cracks through which valuable data could fall into the wrong hands.
Read more of Ara’s columns on technology here.
Following the Federal Example
I was thinking about the risks we face in the world of commerce and that led me to take a look at the National Terror Alert Response Center on the Homeland Security news website. As noted on that site, “The National Terror Alert Response Network promotes homeland security emergency preparedness through awareness, education, community involvement and partnerships between individuals, groups and organizations.” In doing so, the site provides information on terrorist-related incidents and activities in the United States and abroad.
The part of the site that really caught my eye was a list of “Preparedness Guides” for a variety of situations directly or marginally related to terrorism.
The topics include: biological attack, chemical attack, hijacking, explosive attack, emergency evacuation plans, water in an emergency, food storage programs, first aid, emergency communications, gas mask FAQs, and more.
Here, we have the federal government at least trying to raise awareness and offer practical advice for some very scary scenarios. The government site caused me to wonder if we couldn’t do the same thing for our own organizations and enterprises when it comes to cyber crime, social engineering and other activities that pose dangers.
If the feds can create a color-coded risk level profile for the nation, maybe it’s time we created and monitored such a profile for our own companies. The reason that many attacks succeed is that we are unaware that they are actually attacks. And some of the approaches are disarmingly simple.
For example, in one scam, the bad guys simply left thumb drives in the lavatories of a major company. Naturally, when the drives were discovered by employees, they plugged them in to their computers — their network-connected computers.
The drives, as you might suspect, contained malware that enabled the crooks to temporarily roam at will inside the network (from outside) and to steal passwords and other valuable information. Yet, it all started innocently enough with someone being curious about a “lost” thumb drive.
This could happen in your company or in mine. But if we spread the word about such possibilities within our own gates, we’re much less likely to be surprised by digital soldiers climbing out of the virtual Trojan horse. If we issue a weekly, or at least monthly, alert about reported hacking and social engineering attempts, it seems logical that many of us would think twice before plugging an unknown drive into our network-connected devices.
A rash of such incidents — or other crimes — could result in raising the risk profile in our organizations. This profile could easily be forwarded to every employee and every other connected entity on a daily basis as an aid to awareness.
Every person who connects with our networks is, by default, also standing guard over that network’s integrity. If we can all learn about what kinds of threats to expect and how those threats present, our enterprises and our organizations will be that much safer from those who wish to do us harm.
The final piece, of course, is to emulate the Homeland Security site by offering advice on what to do when a threat is detected. In one simple example, a directive and reminder to avoid clicking on any links from questionable sources would go far toward reducing the amount of cyber crime perpetrated against ourselves and our organizations.
The Fragility of Social Media
On March 11, the Twitter website crashed, marking the social network’s second outage in nine days, according to Computerworld. And this was not an anomaly. In fact, social media sites are prime candidates for meltdowns, with wide swings as traffic tries to negotiate the same electronic pathways at any one time.
Twitter was down for about an hour because of complications stemming from a planned site upgrade, according to the report.
Regardless of the actual cause, however, it is important to note that social media sites are fragile. A sudden increase in tweets or postings is quite likely to slow response on the sites and, in some cases, can bring commerce on them to a dead stop.
This fragility is important to many in the business world, because pundits like myself seem to never tire of saying that organizations need to embrace social media in order to remain competitive. Positive, interactive exposure may, indeed, be a game changer, and we are all well-advised to craft a social media strategy in order to stay ahead of those who would take our business away.
The other side of this shiny new coin, however, is the risk of an inopportune crash.
That may have a destructive impact on an organization that hangs its proverbial hat on social media promotions.
For example, the latest Twitter outage came at a particularly bad time for co-founder Biz Stone, as it coincided with his appearance on a panel about “our connected society” at the South by Southwest conference this March in Austin, Texas.
People were encouraged to tweet questions to Stone using the hashtag #askbiz. Ironically, Twitter was not functioning at that crucial juncture.
As one Twitter fan noted, “That is amusing on many levels.”
Organizations that want to leverage social media for operational, sales and marketing reasons also need to worry that such sites are prime targets for cyber criminals. You may have noticed that the scams are growing increasingly believable.
In part, this is because there really is no privacy on the Internet, and a crook who tries hard enough can gather a lot of information about a user.
That information gives a clever scammer a way to reach users with a message or a pitch that appears to be legitimate.
Of course, many will say that these are the risks inherent in doing business online, and particularly in posting personal information online. And this is certainly true.
Yet, can the insurance industry that uses “secure” images like a rock or a “good neighbor” really afford to play fast and loose in the world of social media?
Even if a site crash or an intrusion is not the fault of our companies, our customers may well associate the instability with us. It becomes a matter of guilt by association — and a very risky proposition in terms of public image for any type of company.
How are we to deal, then, with the desire to tap into new markets via social media versus the risks that these unstable outlets pose?
One answer may be to limit social media involvement to areas that don’t connect directly to the enterprise — and to keep a sharp eye on how we appear to our potential customers on any social media site.