Last year, Cyber Security Month celebrated its 10th anniversary.
Ten years ago, LinkedIn was hacked, exposing 6.4 million passwords. Fast forward a decade, and headlines haven’t changed much, with the European Union Agency for Cyber Security naming ransomware and malware, in various guises, as the top cybersecurity threats once again.
But something HAS changed.
According to IBM, the data breach average cost increased by 2.6% from USD 4.24 million in 2021 to USD 4.35 million in 2022. The average cost climbed 12.7% from the 2020 report.
Attacks on organisations in critical infrastructure sectors rose from less than 10 in 2013 to almost 400 in 2020, a 3,900% increase.
Not to mention the long-term impacts that data breaches have on consumer trust and brand reputation; today, they can halt trading and send customers running overnight.
Climbing the ladder
Unsurprisingly, data security has hit the big league, and it’s no longer just front of mind for the tech team.
Today, it sits on the desk of the Chief Executive and the Chair of the Board, with 88% of board members saying cybersecurity is considered a business risk, compared to just 12% saying it’s a technology risk, according to Gartner’s 2022 Board of Directors Survey.
Investors, journalists, and customers are paying careful attention, too, as data leaks make headlines and take Twitter by storm, ruining reputations within minutes.
Data security also represents a serious legal risk as a breach of duty of care and a failure to take all reasonable precautions to protect customer data.
As if that isn’t enough, financial risk isn’t far behind, with regulators acting swiftly to slap hefty fines on those who allegedly violate the EU’s strict data protection rules.
As the workforce gets more and more distributed and digitalisation shows no sign of slowing down, it’s clear that to address the risk, Security Chiefs and CIOs need to look beyond the usual areas of concern to protect their business.
More things in more places
As the number of tech assets being operated by businesses grows, the risk increases exponentially as sensitive customer data spread across an organisations’ digital footprint.
Businesses are vulnerable across at multiple points across the complex device lifecycle and while few would risk trading without a cyber security plan for in-use device, many are still just planning for tech assets while they’re in operation.
Discarded devices also need protection – inadequate IT disposal risks private company or customer data falling into wrong hands, with dire consequences for businesses.
These factors prompted the Cybersecurity and Infrastructure Security Agency (CISA) to include ITAD as an identified threat vector in its guidance on defending against software supply chain attacks.
The power of three
Good cyber security starts with procurement, continues with asset management, and ends with responsible handling of devices at the end of their first useful life.
How an organisation procures assets can profoundly affect its security outcomes. Traditional ownership models are outdated, lumbering organisations with many needless risks, placing a heavy burden on internal teams to manage security challenges alone or through multiple competing suppliers.
Alternative ownership solutions, like device-as-a-service, are increasingly becoming part of future-fit security strategies. The most reliable ones offer access to an asset management system, giving organisations immediate oversight and control of their devices. The most advanced go a step further and look beyond the first useful life of the devices, making it possible for organisations to be compliant and environmentally responsible at the same time.
Shredding hard drives is the legacy form of disposal, especially for data-bearing devices like servers and data centres. But according to Blancco – a world leader in data security and erasure – it’s not the most effective option - “shredding most traditional drives will render the data irrecoverable, but destroying newer technologies, such as SSDs, has been found to leave data on drive fragments, creating the possibility of a data breach while rendering the drive unusable.”
This kind of wasteful practice is starting to raise eyebrows. Even the European Commission has released research promoting “data deletion” over device destruction. However, according to a recent investigation by The Financial Times, tech companies, banks, and public services shred millions of data-storing devices each year.
The circle of trust
Clearly, failing to have a technology management plan that looks at the entire lifecycle of a device – from procurement to IT asset disposal (ITAD) – is unviable for any security-conscious organisation.
Instead of wasting tech assets by destroying them and potentially leaving themselves at risk, organisations can find value in end-of-life devices by prioritising repair and reuse, with peace of mind that globally accredited data sanitisation software leaves no trace of their data.
The pace of technological developments means we cannot predict what the next ten years will hold or what security challenges businesses will face.
However, we can take steps now to ensure our organisations are better protected and more resilient against cyber threats, so the headlines don’t call out the same devastating breaches of company and customer privacy in years to come.
Applying circular principles to technology management is a great place to start.
Want to know more about Technology Lifecycle Management and how we can help your business? Get to know our services or contact us to discuss with our experts.