Effective Data Security When Recycling Corporate Tech E-Waste
- September 29, 2018
- 5421 views
Data security in the energy sector is of massive concern, due to the sensitive data that may be stored on computers and other electronic devices.
Note: For simplicity, the phrase “sensitive data”, can include any of the following:
- Personal customer information
- Employee personal information
- Corporate financial records
- Trade secrets
- Corporate VPN access
- Lab data
The area of alarm occurs when these devices could be discarded, refurbished or recycled. Resetting it is not enough here; it must be wiped clean.
This article will include the following main subjects:
- How to wipe data from hard drives, smartphones, solid state drive, and external hard drives
- The consequences of not doing it or doing it incorrectly
- Warning examples - the Stuxnet worm & Energetic Bear Trojan
How To Wipe Data
Methods of wiping data can differ between unique devices. This section will provide instructions for:
- Hard Drives
- Solid State Drives
- External Hard Drives
The Gutmann Method is still regarded as the best way to erase data. Many erasing programs are based on this method. It overwrites the hard drive using an algorithm that makes several passes of random patterns over the hard drive.
Smartphones carry a security risk because they are replaced often. Sensitive data can be easily retrieved and misused. Here are some tips to purge sensitive data from your smartphone.
We will break this down into two categories: iPhones and Androids.
- Unpair any other Apple devices to keep data on those devices.
- On your old iPhone, go to iCloud, click on “Settings”, select your name, and scroll down to log out.
- Enter your Apple ID and password
- Select “Turn Off”
- Return to “Settings”
- Click “General”
- Scroll down to “Reset”
- Select “Erase All Content and Settings”
- Sync your data
- Backup data
- Go to “Settings”
- Choose “System”
- Click on “Backup”
- Turn on “Backup to Google Drive”
- Clearing data
- Go to “Settings”
- Choose “System”
- Choose “Reset” or “Backup and Reset”
- Select “Factory Data Reset”
- Select “Reset Phone”
Solid State Drives (SSD’s)
If your employer has newer computers, they have SSD’s. They save data like your USB flash drive, only on a larger scale. The algorithms used in SSD’s move data around the drive to wear memory blocks equally.
That being said, data wiping methods that use multiple overwrites, like the Gutmann Method, will not work here, making the drive more vulnerable to security risks. However, there are several utility software programs that will perform a safe and secure data erasure.
If there is one installed on the computer by the manufacturer, use it. If not, here are two generic programs that should work:
If your SSD is set up to encrypt data automatically, erase the encryption key from the computer so that no data can be retrieved.
Finally, there is one option sure to sanitize the SSD – physically destroy the drive.
External Hard Drives
If your employer uses these devices, you can erase sensitive data using the following four steps:
- Backup any data you cannot afford to lose. Saving it to a computer will do.
- Format it.
- Windows - right-click on the icon for the drive, choose "Format" from the menu. Click on "Start" and then "OK." After the drive is formatted, simply select “OK”.
- Mac – go to the applications folder, click on the “Disk Utility” application. Select your drive on the left side, then go to the tab “Erase” and select the “Erase" button on the right side. Click "OK"
- Run a disc cleaner on the external hard drive.
- Install the software on the computer, and then select the external drive in the program interface to run the disc cleaner.
- Destroy the inner components
- If you do not plan to use the drive again, you may skip steps 1-3, disassemble the housing, and destroy the delicate components inside.
Consequences of Not Clearing Data – Or Doing So Correctly
Here are two scenarios that illustrate the importance of clearing data from corporate devices that will be replaced.
Scenario 1 – Electric Company
An office employee of an electric company tosses their old computer in the dumpster upon receiving a new one.
A week later, one of the employer's customers, irate and distressed, reports that their information has been compromised. The offender is caught, who reveals that he got the data from a discarded computer – from the company’s dumpster.
Lesson: Never discard a company computer without having the IT person either remove the hard drive or wipe the data clean from it.
Scenario 2 – Nuclear Power Plant
If you work at a nuclear power plant, then high-level security is the norm. Each employee has its own unique passwords, pin numbers, etc., and this data is recorded in the company’s computer system. An employee’s login info may be saved on their personal smartphone.
Then one day you get a new phone. You then toss the old one in a public trash bin. A criminal picks it up, finds your security information, and uses it get into the plant to steal sensitive data, leading to a lockdown.
You return to work the next day to learn of the event and you are being considered for immediate termination.
Lessons: Do not highly sensitive information on your cell phone if you can help it. Never throw an old cell phone in the trash. Always clear all data, from your cell phone.
Perhaps some may consider these examples extreme. However, unexpected things happen every day; the world we live in is fertile ground for it. Never take data security lightly.
Warning Examples – Stuxnet Virus & Energetic Bear
According to a recent report, energy companies are prime targets for cyber-attacks on a daily basis. The following examples illustrate the kind of damage cyber-attacks can cause in the industry.
Stuxnet was a virus that sent centrifuges into erratic spins, from one extreme to the other, resulting in irreparable damage to an Iranian facility’s enrichment process. This virus was activated immediately by the simple insertion of a USB flash drive.
In 2014, Energetic Bear affected in excess of 1,000 U.S energy companies through phony emails and malicious links accessed by employees. It would then install the Goodor Trojan onto compromised machines, allowing remote access. And at one point giving the group behind this malware, access to everything from manufacturing plants to power grid systems.
If cyber-attacks like these can occur, just imagine the impact of having data and credentials stolen from equipment that hasn’t been wiped.
Given the sensitivity of data entrusted to the energy industry and their probability of being attacked, there is no doubt that data security is becoming more and more paramount.
Whether it is computers, laptops, smartphones or other devices, all employees in the energy industry must be mindful of the risks of storing sensitive data on such devices.
When devices are swapped out, erasing such data will go a long way in protecting your company, your company’s customers and yourself. Make data security a constant in your mind and your daily routine.
Learn more at https://plunc.com/blog/recycling-can-save-lives