Cancer Research

Cancer Research is a nationally recognised charity leading the world in cancer research and development of new strategies to beat cancer. They employ many thousands of volunteers as well as carrying out research in 12 locations across the UK. There are 1400 staff based in Angel Building, London and EOL IT Services provide IT asset disposal services. The customer’s requirements are as follows:

  1. Compliance with data protection regulator ICO and use of CESG approved software – EOL utilise the industry leader in data erasure software, Blancco, which is approved to CESG standards. All staff are Blancco certified to carry out data erasure using the software.
  2. Compliance with all current and relevant environmental and WEEE legislation – EOL have the ability to dispose of all IT asset and electrical devices including white goods ensuring a complete disposal solution for work environments.
  3. Compliance with the latest ISO legislation and industry standards – EOL are ISO27001, ISO14001, ISO9001, OHSAS18001, BSEN 15713, BS7858 and ADISA Distinction Plus accreditation so exceeded the customer’s requirements in all aspects of legislation and standard.
  4. Ethical, environmental and behavioural compliance – EOL have their own standards for these areas but as part of our engagement we comply with the customer’s policies if they differ from our own
  5. Full inventory of kit being received and leaving premises – this is standard practice for all our collection services where we provide, within 24hrs of collection, a full inventory of all equipment collected including asset tag and serial numbers and make and model of all assets.
  6. Provision of waste transfer notes – under WEEE waste transfer notes are issued at the point of collection and with the booking in report.
  7. Tracking procedures and documentation for all IT assets – assets are tracked from point of handling at the customer’s site to the point of confirmation of data wiping and resale or confirmation of physical shredding. This includes our own fleet of GPS tracked vehicles ensuring full custody of assets while in transit.
  8. Destruction Certificates – We provide certification for data bearing assets and media such as tapes, hard drives and flash memory. The certificates confirm complete data destruction including a detailed list of the serial numbers for each hard drive.
  9. Allow an on-site inspection of the local supplier premises – a site inspection is in the pipeline for early 2015 to allow Cancer Research to visit our processing facility and audit our processes and procedures for IT Asset Disposal.

The level of data managed was official. EOL carried out other services such as peripheral disposal, and recycling of all IT assets following successful data wiping. All staff used in the end to end process are permanent employees of EOL IT Services with all being Security Cleared and CRB checked. The service is managed by an account manager including any planning and logistics for any services requested.

Each of the customer’s requirements was successfully delivered on time. Complying with all customer’s security and audit requirements as well as compliance with all regulatory standards for data management and asset disposal.

LATEST NEWS

How Can Your Business Prevent Mobile Malware Attacks?

How Can Your Business Prevent Mobile Malware Attacks?

Smartphones, tablets and the Internet of Things are great business enablers when it comes to being super responsive to the needs of your customers. Our working lives are more convenient; the technology has increased productivity at restaurant and boardroom tables, alike. Business is faster and more efficient.

However, it is this ‘always on’ culture, which poses one of the biggest threats to an organisations cybersecurity. The daily use of our mobile devices is so intrinsically normal that this lowers our defences; increasing the probability of a cyber-attack.

The cyber-criminals are all too aware of the central role these portable IT assets provide, along with that fact that, on the whole, our mobile devices are just not as secure as laptops or desktops. They are commonly overlooked in favour of traditional endpoint security. The security measures you’d expect to appear for your workstation, such as firewall, antivirus or intrusion detection systems are simply not in place.

Remote working, hybrid structures and bring your own device (BYOD) policies mean that more of us than ever are using personal devices to access the corporate network. Whilst this may be cost-effective, personal unguarded endpoints have the potential to bring very real and very serious threats into the corporate environment.

 

In 2020, nearly 97% of organisations faced mobile threats
that used multiple attack vectors.  

Check Point.  2021 Mobile Security Report.

 

What is mobile malware?


Put simply, mobile malware is malicious software specially designed to target mobile devices to gain access to your personal data. Attacks are not only increasing in number but in their level of sophistication, with the cyber-criminals profiting from almost any form of data.

In fact, any form of cyber-attack can now be implemented and performed via a mobile device. As well as gaining extensive access to the device itself, criminals can also gather valuable intelligence from device additional sources, including call history, SMS and GPS data. Remote Access Tool attacks (RAT’s) can even enable the devices camera.

 


At least 40% of the world’s mobiles devices are inherently vulnerable to cyber-attack.

Check Point.  2021 Mobile Security Report.

 

 

 

 What are the most common types of mobile malware attack?

Responsible for over 51% of all mobile malware attacks, a Trojan hides itself in compromised software, often a mobile application. Apps are created or pirated by hackers who infect known apps, distributing them on third-party app stores. According to 2020 Check Point research, around 46% of organisations had at least one employee download a malicious mobile application.

People are 18 times more likely to click a suspicious link on a mobile device then they are on desktop* so social engineering is widespread. Spoofing, phishing and smishing’s partner in crime is the practice if mirroring a trusted website. These fraudulent sites posing as trusted businesses, government bodies and healthcare institutions have become so advanced that even savvy IT professionals could fall victim. According to Check Point, at the end of 2020, the most impersonated brand was Microsoft, which appeared in 43% of global phishing attacks. After all, responsible employees could be drawn to an email from Microsoft, advising them to remain secure by updating their device.

Malvertising, as the name suggests are malicious online advertisements infected with malware, distributed by common and trusted digital ad networks. Sometimes a user may follow the link, but nothing happens. They don’t realise that one click was all it took to install the malware.

How do you prevent a mobile malware attack?  

We know that fingerprint security or a pin-lock is a good idea to prevent physical unauthorised access, but when it comes to cybersecurity, our mobile devices have a very different threat surface to more traditional endpoints. As such, best practice requires a mobile-specific approach.


Only use official app stores.

Third-party app stores host 99.9% of discovered mobile malware**. The good news is that the official app stores detect and remove rogue apps rapidly. According to Purple Sec, around 24,000 malicious mobile apps blocked every day by official Google Play and Apple’s App Store. By only ever-using official app stores, you will vastly reduce the probability of unintentionally installing malware.

For Android users, it is also a good idea to ensure that the ‘Install from Unknown Sources’ is turned off. As easy as it is to click through permission pop-up’s, always check and question app permissions before agreeing – does that app really need access to all of your contacts?

Update your OS when notified.

Known vulnerabilities are usually patched quickly with OS and software updates, but much like your PC, if you’re hitting snooze on your update notifications, you are leaving yourself and your organisation open. Similarly, make sure you have the most current version of whatever browser you use to limit potential web browser based attacks.

Never connect to public Wi-Fi.

Public Wi-Fi networks are open by their nature and therefore make it far easier for the criminals to conduct man-in-the-middle (MitM) attacks. Of course, restricting Wi-Fi access only to trusted networks isn’t practical. Use a VPN, (Virtual Private Network) to provide a secure connection so you can share information securely when outside the corporate firewalls protection.

Encrypt all data.

Portable devices are easily lost or stolen. You may think you are protected by the screen-lock but the criminals can bypass these passwords. Whenever there is any data on any mobile device, encrypting it will guarantee its security, even if it does fall into the wrong hands.

Treat older mobile devices as you would end of life IT assets.

All too often mobile devices are discarded in favour of the newest tech. They’re left in office or home kitchen drawers. Worse still, the user can even pass the handset onto family members to use instead. IT teams can easily lose visibility when these mini computers should be treated as any other piece of redundant IT equipment.

It is a very common ITAD myth that a factory reset completely wipes your device. This is not the case – this can create significant data governance issues in the future. Your ITAD partner can also provide a data wiping service and free mobile device recycling, providing the same ITAD chain of custody you would receive for larger assets. The IT asset disposal accreditation certificate provides information such as phone make, model, IMEI code and serial number, helping ensure your legislative compliance with EU and UK GDPR. By using this specific mobile data erasure software, you can recycle or sell redundant IT assets safely, regaining their residual value. As large corporations can have thousands of mobiles devices, many IT asset disposal companies offer lifecycle support services, such as mobile vulnerability scanning or the installation of mobile antivirus software.

As with all cybersecurity, education of your employees is a must. A robust mobile device policy and mobile-specific training will not just tell employees that they cannot install X or Y but explain why – employee understanding particularly important when we all carry that mini-computer around in our pockets.

VPN’s use, mobile antivirus, and encryption are all physical methods help stop the threat at source. It is important to include all mobile devices in your IT asset disposal policy to ensure complete, secure data destruction and your organisations compliance with data protection laws.

Whether BYOD or corporate property, our mobile devices are a vital element of your corporate data security strategy. They require the same level of cybersecurity protection as traditional endpoints but with more specific methods to mitigate the risk of attack.

*Crowdstrike,**Purple Sec

Through our range of data wiping services, environmentally friendly ITAD and operational support services, EOL IT Services help information security officers and cyber security experts protect company data.

Find out how we can help – contact us on 0845 600 4696 or visit www.eolitservices.co.uk 

 


Resources.

Check Point, Crowd Strike, Security Metrics, wandera.com, Secure List, Purple Sec, Tessian, CISO Cyber Security Magazine,

How to Mitigate Against Accidental Insider Threats

How to Mitigate Against Accidental Insider Threats

Insider threats are a substantial threat across all sectors and industries; affecting organisations of any size.

After all, all insiders have legitimate access to corporate systems and sensitive data. As such, insider cyber-attacks are harder to detect than malware-based intrusions. The rapid global deployment to home offices brought new challenges for CISO’s – the ‘attack surface’ increased exponentially, whilst visibility reduced. Social engineering attacks rose sharply as the cyber criminals preyed on human insecurities, irregular working hours and reduced home Wi-Fi security. In fact, cyber-crime was reportedly up 600% in 2020.

What is an insider threat?

An ‘insider threat’ is a current or former employee, a third-party contractor or a business partner who has legitimate access to your organisations network. These individuals could leak data, either by accident or deliberately.

According to Gartner’s Advanced Insider Threat Detection Report, 90% of insider incidents are caused by those the report categorises as ‘Goofs’ – ignorant or negligent employees who believe they’re exempt from security policies. Whilst intentional theft can cause enormous damage, the report shows that malicious insider attacks are uncommon.

The accidental insider; those with no intent to steal or inflict damage, can make a genuine but costly error, such as emailing work data to personal accounts to work from home, mislaying a USB drive, or falling victim to a social engineering attack.


What is social engineering?

Social engineering broadly covers a number of cyber-attacks that use human interaction and psychological manipulation. Criminals pose as a trusted entity to trick users into freely transferring funds, giving away confidential information or providing unauthorised network access. As they rely on human error rather than software or OS vulnerabilities, attacks are hard to identify.

Social engineering is used in 90% of cyber-attacks.
They are responsible for an estimated 70-90% of data breaches.


What is smishing and vishing?

Now well known, phishing is the most common form of social engineering. Playing on urgency, curiosity or fear, mass emails encourage users to clicking through to copycat websites or open malicious attachments. A similar technique using SMS messaging, Smishing spiked during the pandemic as fraudsters pretended to be the NHS offering vaccinations or the Royal Mail due to increased deliveries.

The dangers of vishing, or voice phishing, were underlined by the 2020 attack on remote Twitter teams. Callers impersonated IT administrators to gain employees credentials. Passwords were changed to over 130 high profile accounts, including Barrack Obama and Joe Biden, the accounts then used for a Bitcoin scam. This wiped 4% off the Twitter share price.

Baiting

Phishing’s devious cousin, baiting relies on fear, greed and temptation. Heavily psychological, it is an information security confidence trick used to obtain highly sensitive information, like financial details. It takes many digital forms from ‘too good to be true’ online downloads to deliberately ‘lost’ branded corporate USB drives left in the office lobby marked ‘Confidential HR’ or ‘finance’.


Water holing

Much like a predator will wait by a water hole for its prey, water holing is an attack where the criminal targets a group of people, usually from the same corporation. These ‘drive-by’ web attacks infect a URL that employees must visit for their role. Such was the case in the high profile, Forbes attack in 2014; all users needed to do was load forbes.com for criminals to gain access to the corporate network.

How to you prevent insider cyber-attacks?

A proactive insider threat mitigation strategy should combine physical security and employee education. By their nature, these psychological, human-error techniques are far less predictable and depend on individual employees to identify and report any incident.

Increase user awareness

Following their 2020, research of more than 1,000 global employees, Mimecast found that 96% are aware of digital threats, yet 45% of employees don’t report suspicious messages out of fear of getting in trouble. Alarmingly, the same percentage admit to clicking on emails they consider ‘suspicious’.

Despite knowing they shouldn’t, 73% “extensively use” corporate devices for personal email, online shopping and financial transactions. 66% have done so more since working remotely.

There is a clear need for ongoing awareness and attack scenario training on the increasingly sophisticated social engineering threats – these should be regular, rather than one-off sessions. For example, your team may know to check for the browser for a sites security padlock, but are they aware that 50% of phishing sites now use https?

Identify your assets

With hybrid working and remote teams, it has never been more important to determine who has what. An IT audit will help you to classify the vulnerability status of each asset and inform your risk mitigation strategy.

Accurately cataloguing assets, is more than assigning laptops to users, it extends to external hard drives, tablets and mobile phones. For larger institutions, this can mean thousands of devices in thousands of remote offices. Many ITAD companies offer an auditing support service to help organisations take an updated inventory, ensuring everything is asset tagged and documented.

Undertake an access audit

Regularly reassess user network access controls, software licences and review password polices. Apply the ‘principle of least privilege’ – this limits users’ access rights to only those who require access to do their job. It is surprisingly easy for access of a redundant employee to slip through the net, putting you at risk of a data breach.

Professional data erasure

As businesses recognise the importance of sustainability, the circular economy and environmentally friendly ITAD, devices that would have previously been considered end of life IT assets are now refurbished or recycled by IT asset disposal services.

Whether their components will enter the remanufacturing process or the device is to be upgraded and redeployed, it is imperative that any redundant IT equipment undergoes a secure data destruction process. Not only does this ensure you protect company data and prevent data governance issues, your organisation will remain fully complaint with EU and UK GDPR data destruction requirements.

 

Your insider threat mitigation strategy should include physical security, such as antivirus and intrusion detection systems to help avert companywide phishing and malware attacks. A robust IT asset disposal policy and regular IT audits of hardware and privileges will help avoid unnecessary attacks.

Whilst a physical strategy is key, to achieve a higher level of security, employee awareness of new and emerging attacks must be not only increased but maintained. As social engineering preys on human curiosity, it is crucial that employees begin to feel comfortable reporting a genuine error. After all, cyber criminals rely on a lapse of concentration that can catch out the most attentive employees.


As your ITAD partner, EOL IT Services offer a range of support services in addition to our data erasure services. We are here to make your life easier and can assist with upgrades for redeployment, resale and recycling of end of life IT assets.

To find out more, call us on 0845 600 4696 or visit www.eolitservices.co.uk


Resources.
Security Week, Imperva, Cybersecurity & Infrastructure Security Agency, Network Midlands, Keepnet Labs, Tessian, Rapid 7, Tech target, Purple Sec, Dark Reading, Security Boulevard,

 

 

 

 

5 Best Practices for Responsible ITAD.

5 Best Practices for Responsible ITAD.

5 Best Practices for Responsible ITAD. 

The prospect of a data security breach has long been the 3am worry keeping most CISO’s awake at night. Whilst it is essential to protect company data at all costs following the introduction of EU and UK GDPR, ITAD isn’t solely about data destruction.

Environmentally friendly ITAD, is of primary importance to ensure an organisation remains compliant with environmental legislation, for the responsible disposal of redundant IT equipment.  Since the recent Intergovernmental Panel on Climate Change released their stark report and as new emissions targets are set at COP26, the pressure is on for all businesses to become more sustainable, including the resource-heavy IT department.

 

How long should a laptop or PC last?

As technology advances and the Internet of Things continues to expand at a rapid rate, the cost of new technology is becoming cheaper and the lifecycles of our devices, are becoming shorter.

According to Gartner Research, the average lifespan of a desktop PC is 43 months and 36 months for laptops. The research was intended to serve as a guide for device-replacement strategies and schedules. Highlighting the short lifespans of our latest tech, leaves IT departments seeking to replace and dispose of PC’s and laptops within just 3-3.5 years.

 

Lead in part by the enforced move to permanent remote or hybrid working practices, IT spending continues to rise faster than anticipated. According to Statista, in 2021, global spending on devices of all kinds is projected to rise by a further 8% from 2020, reaching $705 billion.

So with hundreds of gigabytes of business files and sensitive corporate data stored inside one comparatively small box, an effective sanitisation process using advanced data erasure techniques, is the only way to completely remove all data from your device – ensuring legal data protection compliance.

With more and more devices storing personal data and an increasing demand for big data ITAD, what is best practice when it comes to IT asset disposal?

 

Conduct a physical audit.

 A physical audit of all assets doesn’t just provide an up to date, comprehensive list of your organisations devices; it will help you evaluate the age, condition and productivity of each asset. Within larger organisations, this isn’t as easy as it sounds – especially if you have adopted remote or hybrid working practices. IT asset disposition services often offer an IT audit service, this will help you identify redundant IT assets that could be upgraded and redistributed, prepared for resale or recycled.

Accurately cataloguing the end of life IT assets makes sure that nothing is accidentally missed. This ensures that all equipment that you plan to dispose of is processed in accordance with GDPR data destruction legislation, undergoing complete secure data erasure, preventing future data security issues.

Create an IT Asset Disposal Policy.

As lifecycles get shorter, it is even more important to implement an IT Asset Disposal Policy, creating a robust departmental framework, specific to your industry and its specific set of data regulations.

It is never too early to consider the principles of data governance. Regardless of their lifecycle stage, all assets should be covered by your ITAD strategy. By documenting the process, you demonstrate your compliance with GDPR data destruction requirements and environmental waste legislation, along with your organisations commitment to sustainable working practices.

Your plan should include when you will remove employee credentials and permissions from systems, how you prepare equipment identified for resale or recycling and whether you will employ data destruction services.  With the acceleration towards digital infrastructures and cloud-based services, you should cover any on-site data erasure and data centre decommissioning. On the other end of the scale, it is important to consider mobile device recycling. End-point devices such as smartphones, tablets and the growing number of Bring Your Own Devices could unknowingly be responsible for a data breach.

Your IT Asset Disposal Policy can also be cost-effective. According to Gartner Research, such a strategy will typically achieve a 30% cost savings in the first year, and at least 5% cost savings in each of the following five years.

Dispose responsibly.

E-waste has become an epidemic of today’s throwaway culture – with the UN reporting that globally, only 17% of our electrical and electronic devices were recycled in 2019.

Alongside their moral obligations, businesses within the UK and EU must be compliant with the Waste Electrical and Electronic Equipment regulations (WEEE). This legislation ensures that all electrical and electronic equipment is recycled or disposed of in an environmentally friendly way when it reaches end of life.

Many IT asset disposal companies have committed to zero-landfill policies and are accredited by the internationally recognised ISO 14000 standard in Environmental Management; preventing toxins, precious metals and perfectly serviceable components ending up in landfill. If you outsource ITAD to a highly accredited ITAD partner, you can enjoy peace of mind that you also meet this standard.

Join the Circular Economy.

Whilst many companies simply accept the fact that devices will need to be replaced every three years, departments can easily sell redundant IT assets on through their ITAD supplier. By repurposing technology with plenty of life in it, organisations can maximise the lifecycle of the device itself and also their return on investment.

Upgrades are an effective way for CISO’s to maximise an assets lifecycle and the ROI of each device whilst maintaining high employee productivity. The Right to Repair legislation announced in April 2021, underlined the importance of reusing the resources we have already manufactured, rather than continuing with the ‘take, make, discard’ culture – exchanging this for ‘reduce, reuse, recycle’.

When legacy assets cannot be upgraded, many of their components can be retrieved so they can re-enter the remanufacturing process, helping your organisation contribute to the circular economy. This EU action plan seeks to expand the short lifecycles or our assets, increasing their lifetime value and reducing e-waste.

Whilst this is a great addition to your CSR or sustainability policy, it also provides an unexpected revenue stream for the business. By recycling redundant IT assets through an ITAD company, you will receive a residual payment, at the best market price for the recycled components. For larger corporations undergoing large infrastructure upgrade deployments, this can involve a significant volume of equipment, helping to offset and minimise costs.

Document your ITAD Chain of custody.

As with your IT asset disposal policy, documentation is crucial. Should the worst happen and you are the unfortunate subject of a data breach, the Information Commissioners Office will seek evidence that you have followed GDPR data disposal guidance and hold the appropriate ITAD Chain of Custody for each asset.

By using a professional ITAD service, you will receive an IT asset disposal accreditation certificate for each and every piece of redundant IT equipment, including evidence of data erasure prior to being upgraded, resold or recycled.

 

Whilst the importance of data destruction remains paramount, the environmental footprint of our businesses is increasing under scrutiny by governments, stakeholders, partners and customers. Environmentally friendly ITAD is an important element of IT asset disposal data security best practice, ensuring your compliance with environmental legislation, as well as data protection laws.

 

Learn more about our IT audit service along with our other support services, designed to make your life easier. EOL IT Services can assist with upgrades for redeployment, resale and recycling of end of life IT assets.

To find out more, call us on 0845 600 4696 or visit www.eolitservices.co.uk


Resources.
Gartner, Statista, Wise Tek, Data Foundry, HTL London, Horizon Technology, Iron Mountain, J.Gold Associates, Tech Reset, Cobalt,

 

 

 

 

To arrange a demonstration then please complete the form below and we will be in touch to arrange a convenient appointment:

[cf7lead cf7_id=”595″ fields=”Company=company|Email=email|Phone=telephone|First Name=fname|Last Name=lname”]

Protect My Data:

Complete the form below and we will be in touch.

[cf7lead cf7_id=”3320″ fields=”Company=company|Email=email|Phone=telephone|First Name=fname|Last Name=lname”]

Request Information:

Complete the form below and we will be in touch.

[cf7lead cf7_id=”3378″ fields=”Company=company|Email=email|Phone=telephone|First Name=fname|Last Name=lname” title=”Request Information Form”]

    First Name

    Last Name

    Email

    Company