Information assets possess large volumes of confidential data and protecting this data is very much required. Tough regulations, the high cost of data breaches and the risk of data leaks mean that proper steps must be taken to ensure the complete and secure disposal of sensitive information. These tough regulations are known as Risk Mitigation. Risk mitigation practice is a practice for balancing the costs of developing robust and secure IT infrastructure against the likelihood and potential damage to the organization. IT risk management is generally divided into four categories:
News and headlines are being announced regarding the loss of unencrypted personal information on stolen laptops, credit card numbers stolen from corporate IT systems, and business disruptions due to computer outages are all too frequent. A host of strict industry standards and government regulations have forced organizations to take adequate steps to mitigate the risk of unauthorized exposure of confidential corporate data. Organizations must have an audit trail as evidence of the steps taken to prevent data leaks. Failure to comply could result in financial loss, irreparable damage to a company’s reputation, as well as civil and criminal liability.
The common internal causes of corporate IT related incidents include poor password protection, incomplete erasure of data before disposing the systems, failure to update protection software, failure to scan files. The potential impact of these incidents leaves the infrastructure exposed and the organization vulnerable to exploitation, attack, and loss of proprietary information. Ultimately, all of these translate into lost productivity due to downtime and increased costs to repair programs and replace lost or stolen equipment.
Mitigating Risk through Education
The IT departments should not shoulder the responsibility of managing risk alone. Security is everyone’s job, and when it comes to information security, people are as important as technology, policies, procedures, and guidelines. With proper education and training, employees can become an organization’s strongest line of defense and its most valuable security asset. When designing a training program, IT organizations should keep in mind the four risk management categories: security, availability, performance, and compliance.
- Take a more proactive approach to IT availability issues
- Demonstrate the importance of proper backup procedures
- Increase awareness of common virus & trojan attack vectors, such as email attachments and file downloads
- Should educate people to completely erase their data from the disposed or to-be-disposed hard drives
- Support and follow internal IT safeguards and business policy requirements in an effort to help meet compliance standards such as FISMA, HIPAA, US Dept. of Defense, EU-DPA, IT-Act,etc.
Successfully protecting information assets requires employees at every level—from the top down—to obtain a basic understanding of the security risks and policies, as well as their respective responsibilities in protecting the company’s assets. Today’s security environment has become so complex that the reactive companies will always be playing catch-up. Companies are growing and so is their data. They are bounded to buy new systems by selling or donating the old ones. At a common way, many companies just sell their systems to the refurbishers without ensuring that the data has been fully erased or not. Full erasure of the data is important as the data may fall into wrong hands and might be misused. It also happens sometimes that even after deletion, some data might prevail which can be easily recovered by the data recovery software. Thus In the long-term, it is necessary to completely delete your data with no scope of recovery to reduce the associated costs and maintain any level of security. Additional options can be:
- Performing regular assessments of the security risks.
- Making recommendations for improvements in existing strategies, policies and controls.
Compliance with data protection laws
The employee and the corporation should comply with data protection laws so that users don’t distribute corporate data and the organization doesn’t access user personal data that are stored on the device. Potential loss of corporate data happens as a result of unauthorized sharing of information on employees’ devices and used services and sharing of devices.
Integrated, multi-technology, data leakage/loss protection
When the employee stores corporate sensitive data, the organization should ensure that this data will not get lost due to hardware and software user error. Destroying data can be challenging and even damaged hard drives contain data which can be recovered. In order to be sure that data is completely destroyed beyond recovery it is imperative to use a secure method of data erasure. Thus, special software are to be installed to prevent data loss and data erasure.