E-waste – A security blind spot


By Stuart Dahlenburg, VP, General Manager, Information Management and Digital Services, Iron Mountain, ANZ

The emergence of the COVID-19 pandemic last year forced businesses and their employees to radically reimagine their day-to-day life. Unprecedented restrictions on travel, physical interactions, and changes in consumer behaviour forced companies to change the way they operate and consumers the way they engage with businesses.

Businesses and people were forced to adopt digital solutions overnight. In some cases, banks, grocery stores and retail brands were rolling out technology plans that would ordinarily have taken years to complete, in a matter of weeks.

However, new remote working models can bring a number of potential risks from a data protection and privacy perspective. Cloud technology, which allowed workers to be productive by providing access to company documents outside of the office environment, was critical in ensuring businesses could continue to operate.

At the same time, it led employees to leverage unfamiliar tools to share documents, leaving sensitive data sitting on a laptop or mobile device which could then be stolen or damaged, or in the cloud, where it’s at risk of being stolen through a cyber attack.

According to the ACSC, there were around 60,000 reports from individuals and businesses reporting instances of cybercrime in 2020, however the actual number of incidents is likely to be much higher.

Similarly, a report by BDO says data breaches caused by malicious hacking increased by 91 percent in 2020, likely caused by IT support challenges during remote working, and the lack of preparedness for increased cyber attacks during the pandemic.

With an increasingly dispersed workforce, security has never been more crucial to keep a business running. Aside from keeping precious intellectual property safe, ultimately security reduces liabilities, insurance, compensation and other social security expenses to be paid by the company to the stakeholders.

COVID-19 has forced the hand of businesses in several sectors by requiring them to confront their digital preparedness in tackling cyber threats head on.

Cybersecurity must no longer just be in the confines of IT – it requires a comprehensive strategy that extends to all aspects of the business, from the customer service call centre to the boardroom.

Organisations need confidence that fundamentals are in place to ensure they remain protected from this increasingly prevalent risk. Businesses must invest in physical security, follow best practice and take a holistic approach.

Cybersecurity depends greatly on physical security

While it’s known that the cost of successful digital attacks keeps rising, one element of security that is often overlooked is that of physical items, the loss or breaching of which can be just as harmful if left unchecked.

For example, attackers who gain physical access to a computer can almost always take advantage of that access to further their efforts.

Laptops, USB drives, tablets, flash drives and smartphones all have the ability to store sensitive data that can be lost or stolen. And in a world of hybrid-working with many employees working remotely and taking equipment from the office to their homes, organisations increasingly have the task of safeguarding data, equipment, people, facilities, systems, and company assets.

Companies spend substantial amounts of dollars on physical security, keeping the public at large out of their headquarters, limiting access to sensitive areas, or workers from mission-critical areas such as the server room. The same concern must be shared when regarding discarded equipment.

Casually discarding an old computer and e-waste in the bin is just as risky as throwing an individual’s passport on to the street.

One company that experienced the negative side of unsecured waste destruction was the Idaho Power Company in 2006, which disposed of company hard drives without wiping them clean and later found out that sensitive corporate data had ended up on eBay, where hundreds of its old hard drives were being sold online. Contained on those hard drives were confidential employee information and proprietary memos.

In the information age, every piece of data is valuable. Just because something seems to be no longer of use, it doesn’t mean it wouldn’t be of use to someone else. Bad actors are going to greater lengths to get their hands on anything and everything that could lead them to a payout, from former customer credit card numbers to 10-year-old trade secrets.

Back to basics: Best practice of destructionA holistic approach

E-waste management will continue to be a challenge for Australian businesses as CEOs continue to embrace digital transformation.

Companies cannot afford to hold on to every file indefinitely, whether it’s physical or digital, that takes up valuable resources.

Organisations with aligned cybersecurity and physical security functions are more resilient and better prepared to identify, prevent, mitigate, and respond to threats. Convergence also encourages information sharing and developing unified security policies across security divisions.

The benefits include an integrated threat management strategy that reflects an in-depth understanding of the impacts to interconnected cyber-physical infrastructure.

A hybrid working model brings with it a number of potential risks from a data protection and privacy perspective. However, organisations that identify and implement a holistic approach to physical and digital data security will be better placed to react and defend against cyber threats.

Where, typically, physical security and digital security were once entirely separate realms, they are slowly becoming more intertwined.

As rapidly evolving technology increasingly links physical and cyber assets, spanning sectors from energy and transportation to agriculture and healthcare, the benefits of converged security functions outweigh the challenges of organisational change efforts and enable a flexible, sustainable strategy anchored by shared security practices and goals.