IT paranoia No. 2: Data will leak from your network unseen
Everyone in IT knows sensitive information on company hard drives and network storage devices must be secured. But where the real IT paranoia lies is with all the other places data might be lurking.
According to an August 2007 survey by the Ponemon Institute, 70 percent of data leaks come from equipment that isn't connected to the network, and not just surplus PCs, but flash drives, mobile devices, backup tapes -- even the hard drives found inside old copiers and printers.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
For example, in April, CBS News reported on a warehouse in New Jersey that contained more than 6,000 used copy machines, many of which housed hard drives that contained medical records data, Social Security numbers, pay stubs, and other sensitive information.
It's the hidden security breach a lot of people don't even think about, says Bob Houghton, CEO of Redemtech, an IT asset recovery and disposition firm that performs lifecycle management on devices for Fortune 500 firms.
Even organizations that think they've done a good job removing sensitive data from aging equipment often don't check their own work, he says. One out of four machines Redemtech receives still contain some amount of residual data.
"Most IT folks are not focused on this stuff," says Houghton. "They just go down a list and tick things off without scrutinizing the results. People tell you they're doing everything the right way, but the actual outcomes are never audited and reviewed for effectiveness. If you're at a senior level in an IT organization, this should keep you awake at night."
It's not just surplus equipment that IT should worry about, says Michael Howard, a security strategist for HP's imaging and printing division. Most multifunction machines come with embedded Web server software for administrative access. If left unsecured, a knowledgeable attacker can log onto the server via the device's control panel and gain administrative rights to the network. Without an admin password, these machines leave an open path to the heart of the organization.
"Lots of security breaches happen because people think, 'Oh, it's just a printer'," says Howard. "In reality, it's not just a printer; it's a computer sitting on your network."