Kenneally Technology Services was recently requested to provide their expertise to a national cybersecurity organization and their online publication. Here is an excerpt with a link to the full article if you wish to continue reading:
The “little guy mentality” can no longer be relied upon to protect and safeguard your systems in today’s environment.
Much attention has been paid to major data breaches that have affected large corporations, United States government agencies, not-for-profits and political organizations. This attention has resulted in the allocation of significant resources, both monetary and intellectual, to shore up business and government defenses against different types of cyber threats. In fact, an entire educational industry has emerged as high schools and universities now offer courses and majors for a new generation of cyber-warriors.
That is all well, good and necessary given cyber’s national security and financial implications, but it fails to address the core of the American economy. Tens of thousands of small-to-medium-sized businesses (SMBs) do not have an existing or adequate cybersecurity budget. Perhaps worse, these organizations often feel that due to the small size of their business they will not be the targets of a cyber-attack?
This perception is simply not correct. Last summer, the FBI reported that as of late 2013 (the latest data available), more than 7,000 U.S. companies, of all sizes, were victims of phishing scams, with losses exceeding $740 million. Symantec Corporation has observed a steady increase in attacks targeting businesses with less than 250 employees, with 43 percent of all attacks targeted at small businesses in 2015, proving that companies of all sizes are targeted…
There are many important reasons to go to the trouble of recycling your retired IT equipment rather than just tossing it into the dumpster when no longer needed.
According to ComputerWeekly.com, an average PC contains plastic (23%), ferrous metals (32%), non-ferrous metals (18%), electronic boards (12%), and glass (15%). A single computer can contain up to 2kg of lead, and the complex mixture of materials make PCs very difficult to recycle for the owner of the equipment themselves.
It is possible to recycle many parts of an IT system, particularly monitors, PCs and servers. Computer peripherals, such as printers and scanners, can also be recycled, as well as landline and mobile phones. Recycling one million laptops saves the energy equivalent of electricity used by more than 3,500 US homes in a year. For every million cell phones we recycle, 35,000 pounds of copper, 772 pounds of silver, 75 pounds of gold and 33 pounds of palladium can be recovered.
If you are like most business owners, you have accumulated a large amount of old technology equipment. Most local recycling sites located within the State of Maryland do not allow bulk disposal of retired IT equipment, but instead limit the drop-off to a single item per vehicle. If yours is a large organization, this could mean several trips just to dispose of a small portion of your old equipment.
Having a professional recycling firm handle these duties for you is much more affordable than you may think. The convenience of their personnel coming to your site and picking up the equipment for you is well worth the cost. A professional IT recycling firm should provide you with a detailed list of all equipment disposed of, including make, model and serial numbers. They should also provide you with certificates as proof that all hard drives and magnetic media storage devices have been properly destroyed.
The single most important reason you should retain a professional recycling firm to handle your retired technology is security. Mechanical hard drives commonly found in servers and desktops computers, solid state drives found in laptops, and flash drive technology used in phones and memory sticks can house long-forgotten yet sensitive data in documents, emails, and even videos and pictures.
When you use the file deletion utility of your computer or mobile device’s operating system, it does not actually delete the data. Instead, it marks that location on your system’s storage device as being available to overwrite the space with new data. A lot of readily available data rescue software can very easily retrieve “deleted” data from storage devices that may even be damaged.
If you are in an industry that has regulations for securing patient health information, credit card information and any personal data (and that covers nearly every type of business), you should have not only a strategy in place, but also an IT policy that states how data storage devices and IT equipment are destroyed. A few dollars now can save you thousands later.
For more information, please feel free to reach Dave Thomas, Director of Technology Services, at firstname.lastname@example.org or 443.829.9897.
Maryland MGMA (Maryland Medical Group Management Association) is the local resource for medical practice management education and information.
Kenneally Technology Services was a sponsor of the Maryland MGMA State Conference on Friday, September 30th. We have worked with lots of medical practices on IT Security Assessment projects as well as providing managed network services for many medical groups.
Kenneally Technology sponsored the TapSnap photo booth at this event which benefitted the Casey Cares Foundation and it provided a bit of fun relief from the informative conference sessions and meetings.
Why isn’t cybersecurity considered a top priority for a majority of small businesses?
A 2015 National Small Business Association survey revealed that cybersecurity doesn’t even rank among the top 5 most significant challenges. Yet small and medium-sized businesses (SMBs) represented 60% of all targeted cyber-attacks last year. And according to the National Cyber Security Alliance, 60% of small businesses close their doors permanently within 6 months of a data breach.
October 5, 2016
The National Cybersecurity Center of Excellence
Presented by: CAMI, Startup MD, and the CRTC
With these industry partners: the National Cybersecurity Center of Excellence (NCCoE), MD Department of Commerce, and Montgomery County Economic Development Corporation
Maryland Cyber Day is an activity-filled day highlighting and celebrating Maryland’s cybersecurity innovators and connecting them with two vital tools for growth and success – investment capital and customers – from Maryland and beyond. Connect online and in-person with an audience that has been specifically curated to meet your business’ needs – companies and government entities that are on the look-out to purchase, partner with and/or acquire today’s most cutting-edge cybersecurity technologies.
Maryland Cyber Day will include the Pitch Across Maryland Bus Tour and our signature event – the Cyber Solutions Marketplace – and wrap up with CAMI’s Birthday Bash. Buy your ticket today, and don’t miss this opportunity for your company to be recognized as one of Maryland’s leading cybersecurity assets.
Register for Maryland Cyber Day Now!
October 20-21, 2016
The Baltimore Hilton Hotel
The CyberMaryland Conference is an annual two-day event designed to showcase Maryland’s leadership in the cybersecurity industry, provide sharing and networking opportunities within the cybersecurity community, and facilitate the development of cyber assets. This year’s theme is “Leading the Cyber Generation,” and the event will include the CyberMaryland Conference, an induction ceremony into the National Cyber Security Hall of Fame, the Maryland Cyber Job Fair, and the Cyber Maryland Industry Showcase.
Do you use computers in your organization to work with, process and store sensitive data that if stolen or disclosed could potentially result in damages to an employee, client, student or patient?
- Are your organization’s computers used to access, process or store protected health information (PHI)?
- Are computers in your organization used to work with, access, process or store personally identifiable information (PII)?
- Are computers in your organization used to accept, acquire, process, transmit or store cardholder/credit card data?
If the computers your organization uses have the ability to store information locally including sensitive information, installing disk encryption designed to protect and safeguard that information is a good business practice.
In some cases it is potentially required by State or Federal laws and may be necessary to meet certain industry standards. Listed below are some examples.
Social security numbers, student transcripts, financial aid information and individual’s health records are federally protected under laws like the Health Insurance Portability and Accountability Act (HIPAA) and Family Educational Rights and Privacy Act (FERPA). While encryption is not mandated under HIPAA it is an “addressable implementation specification”. Specific State privacy laws and institutional policies may impose more stringent requirements than FERPA.
The financial industry has encryption and data guidelines established in legislation such as the Dodd-Frank Act.
Cardholder/credit card data is required to be handled and secured in accordance with the Payment Card Industry Data Security Standards (PCI DSS).
Who should use it –
If your organization is a financial institution or your organization’s computers are used to work with health care data, student transcripts, financial aid information or cardholder/credit card data and this information can be saved locally, you should seriously consider assessing your risks and possible liabilities to determine if encrypting your data is a prudent or necessary safeguard.
To give you a simple example, if you work with protected health information and it is saved on an unencrypted hard drive a laptop computer that is lost or stolen, you will be in violation of the HIPAA security rule in which case you must report the security incident to the proper Federal authorities. You may be subject to fines and penalties as well as other mitigation remedies and required corrective actions. If the laptop hard drive was encrypted with appropriate full disk encryption software then there may be no need to report the security incident or incur fines and penalties since you had adequate safeguards in place to protect and safeguard the sensitive information.
Ultimately it is up to your organization’s management, their assessment of risk and due diligence review of the laws and regulations under which your organization operates on whether or not the data and information your organization’s computers access and work with should be encrypted. In most cases it is best to err on the side of caution and use full disk encryption to safeguard data and information.
Options for implementing encryption –
There are a number of tools available in the marketplace that implements disk encryption. You should be aware that they vary in features and security. A proper assessment of your risks and applicable laws and regulations will assist you in determining the most appropriate solution.
Disk encryption solutions basically fall into two categories: software-based and hardware-based within the storage device. Hardware-based disk encryption within the storage device are called self-encrypting drives (SED).
Examples of some software-based encryption applications would include BitLocker for Windows (Microsoft), Endpoint Full Disk Encryption (Check Point), Endpoint Encryption (Symantec) and VeraCrypt (CodePlex). There are a number of software solutions on the market so a due diligence review of your needs and product capability is a necessity.
SED drives are available from many hard drive vendors including Seagate Technology, Hitachi, Western Digital, Toshiba and from solid-state drive vendors such as OCZ, SanDisk, Samsung and Micron. SED drives do have several advantages over a software based solution. First, since the encryption is done within the storage device itself, there is little to no impact on the performance of your computer or your applications. Second, since the media encryption key never leaves the storage device it is not susceptible to viruses and malware that may impact the computer’s operating system or your applications.
If you would like some guidance or assistance with assessing your needs or disk encryption options please contact us.