On Friday 12th May 2017, a large cyber-attack using WannaCry ransomware, targeting Microsoft Windows operating systems, was launched.
It has swiftly infected more than 230,000 computers in 150 countries (with the ransom payments being requested in bitcoin in more than 28 languages) and Europol have described the attack as “unprecedented in scale”.
The spread of the attack was slowed greatly when a researcher found an effective kill switch and bought companies valuable time to patch their systems, which greatly slowed the speed of new infections. But what is Ransomware?
Ransomware is a type of malicious software that will lock you out of your data until you pay the sum of money that the hacker has demanded. These fees can range from less than £20 pounds to over £300, sometimes into the thousands, it depends on the hacker. Different hackers may also demand different methods of payment: some may ask for bank transfers, cheques or even the bitcoin equivalent to the requested amount, as seen with Wannacry.
Once files are encrypted you can no longer access the data and the only course of action is to lose the data or contact the hackers to obtain access.
Whilst ransomware and malware are rightly of great concern to organisations across the globe, there are other ways a data security breach can occur that are often overlooked – retired hardware systems and their resulting data pose a real threat to data security.
Being prepared for possible data breaches.
The ICO (Information Commissioner’s Office) has produced a guide for organisations when it comes to IT Asset Disposal and there are some simple steps that can be taken to ensure your risk of a data breach during this process, is minimised:
- Create an Asset Disposal Strategy – be clear about what will happen to devices that are no longer required.
- Conduct a risk assessment of the disposal process – whether you plan to redeploy, re-use or recycle equipment – consider what data may be leaving your organisation as a result.
- Identify the devices that contain data – it is not only PCs and laptops that contain data – other devices such as printers, faxes, servers, smartphones, USBs and tablets etc will also contain data.
- Select an IT Asset Disposal Company wisely – look for an independent Data Processor that will guarantee it will treat your data with the same level of protection as you do – or better!
- What products do they use in the data erasure process and do they have independent approval?
- What audit trail are they able to offer you with regards to your assets and are you able to conduct a client assessment to see their processes first hand?
These are just some of the considerations that the ICO recommend when it comes to ensuring you are not at risk from a data breach when retiring legacy hardware.
The costs of a data breach are high – ensure you take the relevant measures to mitigate the risks.