1. Inadequate Reporting
Without secure and comprehensive reporting, you remain potentially liable for data breaches. To properly protect your organization you need certified, auditable reports. Physically destroying drives is particularly weak when it comes to reporting.
2. Remote Location Risk
Disposing of computer hardware in your corporate headquarters is relatively simple. However, when dealing with remote locations you lose much of your control. Remote locations may not have a dedicated IT staff or the tools to wipe your hardware onsite.
3. Weak Internal Chain Of Custody
Internal risk occurs if your chain of custody process is either inherently flawed or not enforced diligently. For example, not collecting hardware promptly, having a high touch count, leaving computer in unsecured locations with unmonitored access can all increase your risk.
4. Outsourcing Risk
Many organizations don’t realize that when using a third-party provider for data destruction their secure data and hardware is being handled in many cases by transient or temporary employees.
5. Relying On Encryption
Encryption technologies are constantly improving, but so are tools used to break encryption. Deleting the encryption key may make accessing the data difficult, but the data is still on the drive and presents a risk in the long term.
6. Unknown Processes For Data Security
Organizations lacking a data security policy and the processes within the data security policy open themselves up to security gaps. If processes are left to the technician to develop and follow, they may not fully cover the gaps in your data protection policy.
7. Failure To Audit Internal Processes
An important part of any data security policy is to have a 3rd party audit your procedures for processing decommissioned computers and drives. Audits usually reveal many insightful results and can serve as an effective way to upgrade your policies or ensure they are followed.
For more information on these security gaps and what you can do about them, see our White Paper on the subject.