Archives

Panama Papers are Biggest Data Leak Yet

April 11, 2016

Panama Papers

If cyber hackers can unearth the financial secrets of Russian President Vladimir Putin, do you really think your company is safe from the same thing?

Panama Papers: “History’s Biggest Data Leak”

News of the “Panama Papers” is filling newspapers and websites across the globe this week, in what The Guardian is calling, “History’s biggest data leak”.

Hackers have unearthed the financial secrets of some of the world’s most powerful people, detailing the secrets of how many international politicians, business leaders and celebrities have used the Panamanian law firm Mossack Fonseca, the fourth-largest offshore law firm in the world, unseemly financial transactions.

The Panama Papers are 11.5 million documents taken from the files of Mossack Fonseca by an unnamed source and turned over to a German newspaper. Information from this leaked data continues to spill out and the repercussions already include the prime minister of Iceland resigning on April 5, the president of Transparency Chile, a branch of a global anti-corruption group, stepping down on April 4, and the CEO of large Austrian bank resigning on April 7.

Others named involved in the massive data breach were the presidents of Argentina and the Ukraine, the prime minister of Pakistan, a king from Saudi Arabia, the former emir of Qatar, and Argentine soccer star Lionel Messi. A Russian cellist who’s a close confidant of Putin has also been named in the documents.

As the fallout from this massive data leak continues to reverberate literally around the world, it’s a great reminder that every company is at risk of a data breach. If the world’s richest and most powerful people can have their most confidential information hacked, cyber hackers can seemingly get anywhere they set their minds too.

Is your company safe?

While up to nearly half of all organizations experienced a data breach in the last year, a recent report by AIIM (Association for Information and Image Management) showed that a quarter of respondents felt that their senior managers did not take the risks of data privacy breaches seriously.

This report comes on the heels of a 2015 IBM survey of more than 700 C-level executives, almost three-quarters of CEOs believed that ‘rogue individuals’ as the largest threat to organizations—the truth is 80% of cyber attacks are led by highly organized crime rings.

Too many C-level leaders have their hand in the sand and move forward with an “It won’t happen to us” mentality.

Protect your company and be proactive. Your data is everywhere these days—on hard drives and paper at the office, with volumes of information on laptops that move in and out of the office, on mobile devices and cloud storage—these are all entities that need to be managed from the C-level on down.

IBM’s study revealed that almost two-thirds of C-level executives in marketing, human resources and finance departments acknowledge they are not actively engaged in cyber security strategy and execution. Cyber security is at a point now where it simply has to go beyond the IT department. Criminals are targeting any department where personally identifiable and financial information resides.

Senior managers have to commit to information security before an organization can fully adopt a culture of security. Employees will follow the example set by their managers.

The Panama Papers put another spotlight on cyber security. Even the most rich and powerful are at risk.

 

Maxxum Conducts Tech Disposal Research Study

February 3, 2016

tech disposal research study

Maxxum recently conducted a tech disposal research study with a simple objective in mind: We wanted to understand your world and how we can make technology disposal easier and safer given the challenges you face in today’s digital environment.

The overriding result of this study revealed that organizations still engage in risky technology disposal behavior, even as data breaches continue to increase in frequency and severity. We were quite happy to find that Maxxum customers rate our services more positively as compared to other technology companies, especially in the key areas of recycling, security, and compliance— which are cited as the most meaningful to organizations.

In this ever-evolving digital age it’s increasingly important to dispose of technology assets using a safe and compliant program. At Maxxum, we’re committed to helping you retire your technology in a documented, secure, and sustainable way.

Tech Disposal Research Proves the Importance of Proper Asset Disposal

Our tech disposal research study gathered responses from highly regulated/risk adverse organizations including health care, insurance, medical device MFG, financial services and education.

The most alarming data uncovered from our research is that 40 percent of respondents stated that they use disposal methods outside of a professional tech disposal service, including equipment donations and giving away old computers, monitors, etc. to employees. Just because your office is done with a computer, that doesn’t mean the secure information it holds isn’t still available.

We stress to our clients and say elsewhere here on our website: You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If your sensitive data leaks, you’ll have to answer to the law and your customers.

As one might expect, the most important elements for organizations, the key drivers, are: process and documents, recycling and reuse and security at destination. We’re happy to report that Maxxum customers ranked our service particularly high in those three areas versus other companies.

To see more of the tech disposal research study survey results, contact us for a copy of our white paper.

4 Questions to Ask Your Technology Disposal Company

November 3, 2015

technology disposal company

When you’re ready to dispose of your old technology assets, do so with the support and guidance of people whose job it is to stay on top of the ever-evolving regulatory and security requirements: a certified compliant and dependable technology disposal company.

4 Things You Need to Know About Your Technology Disposal Company

We’ve outlined a few questions to ask your technology disposal company:

1. Are they certified for data destruction and environmental compliance?

With so many stories about data breaches and information leaks dominating the news over the last few years, most organizations are a little spooked about how they’re disposing of their used technology assets.

You may be vulnerable to legal ramifications if you don’t dispose of your data and drive assets properly. If your sensitive data leaks, you’ll have to answer to the law and your customers. Financial penalties can be quite harsh, and a tarnished reputation can have long-term ramifications.

Environmental compliance laws have become far more strict over the last decade, and getting hit with environmental penalties is a bad “look” for any organization. Now more than ever, it’s important to vet a technology asset disposal company to ensure they have industry certifications for both security and environmental compliance.

2. Do they understand the resale market?

Your technology asset disposal company should know the resale market inside and out in order for your organization to get the best return on the equipment it’s retiring.

PCs, laptops, and servers that are less than three to four years old retain value, even if they’re no longer of use to your company. If you’re ready to dispose of your technology assets, why not recover that value? Remarketing your technology assets is an opportunity to recoup some of the initial investment or cover some or all of the disposal costs.

Your technology asset disposal company should understand price trends on the resale market and help your organization plan ahead and determine when your assets will turn from revenue generators to cost creators. They should help you plan to refresh your technology cycles to ensure that you get the optimum value on your old equipment.

3. How do they document data destruction and disposal?

Find out from any potential provider how they document their full process. There are too many factors along the way during the disposal process that could find your organization liable for mistakes made by your provider.

Disposing of data can have security, financial, and software asset management implications. Proper documentation can shield your company from financial and legal penalties. You should be provided with a Certificate of Data Destruction and a detailed inventory report, as well as a report to show the environmental impact that your responsible recycling is having.

4. Can they serve all of your locations?

Technology asset disposal can be a pretty complicated matter. From drive sanitization to environmental compliance, there are numerous reasons to rely on a proven and trusted technology disposal company.

Don’t forget to ask about logistics. Your vendor has to have experience that allows them to serve all of your sites and the logistical capability to properly handle all of your assets.

If you have multiple locations, make sure you hire a disposal company that can handle your work load and that understands the different regulations that might be in play in each of your locations.

 

6 Reasons to Properly Dispose of Technology

September 23, 2015

dispose of technology

We’ve said this before, and we’ll keep saying it: just because used technology gets unplugged and leaves your building, that doesn’t mean the data on it dies. While ensuring that your data doesn’t end up in the wrong hands is reason enough to make sure you dispose of technology properly, it’s far from the only reason.

Look around your office. If it’s like most, it probably looks a lot different than it did five years ago. Computers, phones, copiers and just about everything else associated with office work has changed dramatically. And, they’re going to keep changing.

Technology is advancing faster than just about anybody can manage. With everyone constantly upgrading to the latest, “next best thing,” it begs the question, “what’s happening to all of the old stuff?”

There are Several Good Reasons to Dispose of Technology

Here are six reasons to do so, and all of them can affect your company’s bottom line and reputation.

  1. Criminal Penalties

As the world around us continues to demand faster and more complete access to information (better technology), there is now a more robust policing of used technology disposal.

Depending on your industry, the laws that govern how you dispose of technology can fall under one or more of the following: HIPPA (healthcare), EPA (environmental), FDA (pharmaceuticals and medical devices), FCC (broadcast and phone providers), PCI regulations (credit card data), Sarbanes-Oxley (financial services), Gramm-Leach-Bliley (banking) , PII (personally identifiable information) and FACTA (credit reports).

The repercussions of criminal penalties go without saying and can impact each of the remaining reasons we list.

  1. Executive Fines and Incarceration

With information being such a high value commodity in this technological age, punishments are now catching up to the heft of the crime. Companies are now tasked with responsibly disposing of their used technology. Cavalier behavior with information can now lead to huge fines and even jail time depending on the case.

  1. Civil Penalties

Civil penalties are fines imposed by government agencies as restitution for wrongdoing. Check any business page or television news broadcast and it won’t take you long to realize that both State and Federal agencies are recognizing the growing exposure related to information security. Fines can add up quickly and not only damage your company’s bottom line, but your reputation as well. 

  1. Litigation Costs

One of the misconceptions with technology disposal is that all liability for data is transferred once technology exits. Too often that’s not the reality, and it’s the reason many companies are blindsided by cases even when they believed that things had been done correctly. Nobody wants litigation because that can get expensive very quickly.

  1. Diminished Stock Prices

Perception is almost as powerful as reality when it comes to the value of stocks. Any of the above can lead to a negative perception of your company, whether it’s founded or not. If the perception of your company is diminished, your company’s stock will be as well.

  1. Public Relations Fallout

The old adage that any publicity is good publicity doesn’t hold true here. Your company’s reputation is damaged if any of the above events occur. As technology becomes increasingly integrated into our daily business and private lives, data security is more important than it’s ever been. Understand your responsibility and ensure that old technology is disposed of properly. Your reputation depends on it.

Ponemon: Data breach costs now average $154 per record

June 10, 2015

The per-record cost of a data breach reached $154 this year

broke

by Maria Korolov | May 27, 2015

According to a report released this morning by IBM and the Ponemon Institute, the per-record cost of a data breach reached $154 this year, up 12 percent from last year’s $145.

In addition, the average total cost of a single data breach rose 23 percent to $3.79 million.

Loss of business was a significant, and growing, part of the total cost of a data breach. Higher customer turnover, increased customer acquisition costs, and a hit to reputations and goodwill added up to $1.57 million per company, up from $1.33 million the previous years, said Ponemon Institute chairman and founder Larry Ponemon.

Ponemon analyzed results from 350 companies in 11 countries, each of which had suffered a breach over the past year.

Data breach costs varied dramatically by industry and by geography.

The US had the highest per-record cost, at $217, followed by Germany at $211. India was lowest at $56 per record.

Sorted by industry, the highest costs were in the health care industry, at an average of $363 per record.

The reason, said Caleb Barlow, vice president at IBM Security, is because the information in a medical record has a much longer shelf life than that of, say, a credit card number.

“With credit cards, the time frame from the breach to mitigation is very short,” he said.

The credit card company just has to cancel the old credit card number and issue a new one.

“But the health care record can be used to establish access in perpetuity,” he said, pointing out that health care records include a wealth of personal information as well as social security numbers and insurance numbers.

“it can be used to establish credit or steal your identity ten or fifteen years from now,” he said. “Once this information is out there, you can’t get the genie back in the bottle.”

And that doesn’t even include the costs of health care fraud, he added.

Factors that can impact breach costs

The Ponemon report looked at a number of other factors that could potentially influence the cost of a breach, and, unlike industry or geography, many of these factors were under management control.

For example, having an incident response team available ahead of time reduced the per-record cost by $12.60. Using encryption extensively reduced costs by $12. Employee training reduced costs by $8.

If business continuity management personnel were part of the incident response team, costs fell by $7.10. CISO leadership lowered costs by $5.60, board involvement lowered costs by $5.50 and cyberinsurance lowered costs by $4.40.

“Companies that have thought about this ahead of time, that had their board involved, that had insurance protection, that had practiced what they would do, they had a much lower cost per breach,” said Barlow. “This is really compelling. We have tangible evidence that those who were doing that had much lower costs. You don’t have days to respond — you don’t even have hours. You have minutes to get your act together.”

Factors that increased costs was the need to bring in outside consultants, which added $4.50 per record. If there were lost or stolen devices, costs increased by an average of $9 per record.

And the single biggest factor was if a third party was involved in the cause of a breach. That increased the average per-record cost by $16, from $154 to $170.

Costs rise with time

Ponemon found a positive relationship between the time it took to identify a breach and the total cost of the breach, as well as between the time it took to mitigate the breach and the cost.

On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to to contain it.

Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain.

This story, “Data breach costs now average $154 per record” was originally published by CSO.

Go to original article…

Privacy & Security

November 20, 2014

5 ways health data breaches are far worse than financial ones

Tom Garrubba, Senior director, Santa Fe Group and Shared Assessments Program | November 10, 2014

Remember that song Janis Joplin made famous “Piece of My Heart?” I do, and it reminds me of the fundamental difference between financial and healthcare data breaches.

The breach of personal financial information causes stress — recovering missing funds, paying late fees or interest, worrying about credit worthiness. Ultimately, however, a person’s financial identity can be fully restored.

Not so with medical identity. Healthcare data breaches have a much more personal, longer lasting, and potentially deadly impact.

Victims are at the mercy of those who, through fair means or foul, have control of their protected health information (PHI). And several factors contribute to the costlier, deadlier effects of healthcare data breaches over financial ones.

1. High volume of healthcare data breaches.
2013 statistics from the Identity Theft Resource Center were reported in a recent Fortune.com article: 44 percent of all breaches were healthcare related, while financial service breaches were just 3.7 percent (the first time that healthcare industry breaches exceeded all others). Healthcare is again on track to lead in 2014, also according to the Identity Theft Resource Center—a dubious distinction, to be sure.
….

2. The difficulty in restoring medical identities. Victims of healthcare data breaches have fewer resources to help them.
….

3. Ignorance of the deadly consequences. Individuals don’t realize the devastating impact associated with a breach of their health records. What was presumed private—physical, mental, and prescriptive health history — could be made public and used inappropriately. This data could appear anywhere at anytime, online, in the form of cyberbullying or worse, blackmail.
….

Read full article

Maxxum Recertified as a NAID® AAA Information Destruction Operations Provider

August 4, 2014

NAID-AAA-CertLOGO

 

Recertification and new leading-edge service offerings help organizations satisfy rigorous electronic information protection and data destruction requirements

Minneapolis / St. Paul., MN – Maxxum Inc., a leading IT asset disposition solutions provider, has been recertified as a NAID® (National Association for Information Destruction) AAA Certified provider of Asset Disposition services – namely computer hard drive sanitization, as well as mobile and plant-based physical destruction of hard drives. The NAID AAA Certification Program establishes stringent standards for a secure information destruction process, including such areas as operational security, employee hiring and screening, documented processes responsible disposal and insurance. Working with a NAID AAA certified vendor gives organizations peace of mind know that all of their information destruction legal requirements are satisfied.

“Data protection and destruction is an increasingly significant and complex issue for our clients, and with NAID AAA Certified asset disposition services and other leading edge data security services Maxxum is well positioned to help these organizations protect their sensitive information while satisfying rigorous regulatory requirements,” says Rich Woodward, president and owner, Maxxum.

The enforcement of data privacy laws, often accompanied by significant fines, is becoming more prevalent, and over the past two years Maxxum’s client base has grown some 30 to 40 percent as organizations look for help not just with satisfying data destruction requirements, but establishing sound policies and procedures to keep sensitive data secure throughout the IT lifecycle.

“Where two years ago most of our clients were based in the Upper Midwest, today we work with organizations throughout the United States and even into Canada, providing a variety of value-added services to help them efficiently and effectively solve diverse data and IT equipment protection needs,” says Woodward. “We’ve also hired additional personnel to help keep pace with the growing demand for service.”

About NAID

NAID is the non-profit trade organization of the secure destruction industry. Founded in 1994, its mission is to promote proper destruction of all forms of discarded media containing personal and proprietary information. NAID has forged strong relationships internationally with policymakers and regulators, produces an extensive catalog of guidance publications, and enforces security standards for the secure destruction industry around the world.

About Maxxum

With secure, modern facilities located near Minneapolis/St. Paul, Minnesota, Maxxum is an IT lifecycle management consulting firm that works with a strong network of clients, suppliers, and recyclers to provide cost effective IT Asset Disposition solutions throughout North America.

As a NAID AAA Certified entity, Maxxum is committed to providing the best customer service in the industry. As IT lifecycle management consultants, every program Maxxum creates is fully customized to meet the specific needs of each client. Maxxum uses industry best practices to sanitize computers and information hearing devices, complete with Certifications of Destruction, as outlined by the Department of Defense Data Security Standard and the National Institute of Standards & Technology (NIST) Guidelines. Maxxum has a strict no-landfill policy.

Maxxum Inc., 1350 South Field Avenue, Rush City, MN 55069; 651-674-2715; www.maxxuminc.com.