Data security is an issue that surrounds our work and our personal lives every single day.
I guess I’ve always known that, but it only really sank in recently, when I was the victim of a breach of the new General Data Protection Regulation (GDPR), introduced by the European Union earlier this year.
Thankfully, it wasn’t a huge breach: it was only my work email address that was exposed. It was a simple error on behalf of a company sending me and others a mailshot, where they forgot to put all the email addresses on their mailing list into the ‘bcc’ field. Within hours, they’d sent a further email (with the addresses actually in ‘bcc’ this time) apologising and confirming that they’d referred themselves to the appropriate authorities.
Tiny mistakes with catastrophic consequences
It got me thinking that in today’s climate, the slightest mistake, vulnerability or problem can easily become a security or regulatory breach with catastrophic consequences very quickly. A recent story in the news, where a laptop belonging to the US Geological Survey was infected with malware, underlined that absolutely no-one is immune to these errors.[1]
How did it happen? The employee using the laptop had visited malware-infected websites containing adult material, and had then downloaded images from them to a USB drive and to his personal mobile phone, which had also become infected. But the potential consequences for American national security (many of the sites the employee had visited originated in Russia) are only part of the story.
Perhaps even more surprising were the findings in the subsequent investigation. They found that USGS, an agency of the United States Government, didn’t have a strong URL blacklist policy, nor did they have a process requiring USB devices to be authorised before being plugged into agency-owned computers.
Two steps to data security success
What these examples demonstrate is that it is critical to leave no stone unturned in your quest for effective data security, and for compliance with associated regulations like GDPR. It doesn’t matter if you’re sending marketing emails or monitoring earthquakes: it applies to every business and organisation, including yours.
Of course, different organisations will have different priorities and pain points to address. But most businesses are likely to have two key things to consider: ageing devices and whether they are adequately protected from new and emerging threats, and how sensitive data is disposed of when devices are no longer required. Both can easily be overlooked in the day-to-day hustle and bustle of IT management, but can be taken care of through the deployment of an IT infrastructure refresh strategy.
Firstly, by replacing leased IT assets after fixed periods, you can ensure that your entire IT estate is always modern. This can give you a much better chance of maintaining the level of resilience and protect required against contemporary security threats.
And secondly, good IT lifecycle management plans will have comprehensive data destruction procedures in place. These involve collecting assets when they’re no longer required and permanently erasing all data from them. This can give you peace of mind over regulatory compliance, as well as enabling the reuse of devices and contributing to your sustainable IT credentials.
You won’t be able to make your IT infrastructure 100% secure – if anyone says they can, they’re lying. What you can do, however, is take every step you can to minimise the risk of a security breach, or of costly non-compliance with regulations, as much as possible. IT lifecycle management can play a big part in that.