4. The printer graveyard
Today's enterprise-class printers and fax machines come with internal hard drives. These state-of-the-art devices store images of everything they process, exposing data from any department that uses them. Compromise is possible when administrators don't use available encryption and user IDs and don't automatically delete data off the drive on a schedule, such as every two hours, clarifies Shumard.
The same data from the same file types -- from company directories to strategic plans found in Word, Excel, PowerPoint, and innumerable formats -- are up for grabs when these devices are decommissioned or returned off lease without the enterprise first wiping the drives by degaussing or overwriting them.
"There have been cases where remnants of credit card and social security numbers were left on these devices or classified military or government data was being pulled out of hard drives left in these devices when they were decommissioned, says Gordon.
In fact, he notes printer memory can be a liability even before it goes to the great scrapyard in the sky: "Hackers have also perpetrated bogus service calls posing as copier service technicians in order to steal proprietary IP from devices still in service."
[Also read EPA data breach highlights worrying trend]
Now, not just anyone can easily hack every device with RAM. "Many of these devices have proprietary OSs such that you cannot break the code with less than a high level of security knowledge," says Ondrej Krehel, CISO of IDentity Theft 911. However, when these devices process documents, the system often stores the document in three different formats in three different places, including PDF files dropped in temporary folders on the user's computer, explains Krehel.
If there is nothing in the security plan to account for this system behavior, the data becomes as vulnerable as the user's computer is.
5. Test systems and development environments
The enterprise should test new systems before deploying to the production environment. That's clear.
However, when IT or developers use live data in test systems, they can expose whatever information the departments for which the enterprise has slated the systems typically handle. If live data including PII or Intellectual Property is left on the test system, people on the test team and departmental end users who are testing the system may be able to get to it, says Ruben Obregon, former CISO at a medium-sized non-profit organization.
"And if the test data remains on a hard drive that is reused later, still others could reach it," Obregon says.
"I have seen production data make its way into development environments that lack the same controls normally found in production. Whether those are access, encryption, or integrity controls, all bets are off when people move this data into an environment that is not quite as locked down such as development or QA," says Bellis.
"I have witnessed issues where production data was migrated to a less controlled environment and, despite nothing but good intentions, managed to end up on completely open environments such as consultant laptops and portable devices," he says.
Read more about data protection in CSOonline's Data Protection section.