Employers and their employees are increasingly educated on how to protect their PC-based data, and an increasing number opt to have that data securely destroyed when the device in question is retired. When it comes to IoT smart devices such as printers, copiers and smartwatches, however, the awareness is much less present. Not everyone realizes that the computer is no longer the only device that stores data.
The Harvard Business Review recently reported on an IBM Security and Ponemon Institute study, which found that nearly 80 percent of organizations do not properly test their IoT apps to ensure they meet security standards. According to 451 Research, only a little over a quarter of companies are not using IoT in their infrastructure to capture data. If businesses are not being secure with their IoT devices that are in use, it implies that they are not aware of the security risk that they could pose later on down the line. Education on how to erase and destroy IoT data is now a priority.
When dealing with IoT-enabled smart devices, businesses need to be cautious. Smart device data destruction should be treated every bit as seriously as computer hard drive data sanitation.
Printers and copy machines
HP made waves in May 2017 when it released its first video short aimed at raising cybersecurity awareness. “The Wolf” had a high profile cast and director and followed a hypothetical journey of how a hacker used a printer and several other smart devices to steal corporate data. When left behind, thrown out, or sold, network-enabled printers need to be first purged of saved passwords and other sensitive information.
Luckily, the entire printer does not always need to be destroyed. Some devices, such as the HP OfficeJet 8040, provide instructions on how to remove the hard drive without damaging the rest of the device. Once the drive is removed, it should be degaussed and shredded to completely guarantee the risk aversion.
Copiers are another common item in the office workplace that can utilize a hard drive to store data. Like printers, most will automatically save passwords and settings – turning them into potential backdoors into an otherwise secure office network after they’re retired. CopierGuide stresses the need for companies to have a disposal plan in place for decommissioned machines.
“100 percent of smartwatches were vulnerable to cyber attacks.”
Devices like the Apple Watch and the Samsung Gear are rapidly beginning to augment the smartphone. According to a report from Business Insider, the smartwatch segment is poised to ship 70 million units by 2021. Smartwatches store much of the same data as smartphones and already function as part of the BYOD ecosystem. A 2015 HP study showed that 100 percent of smart watches were vulnerable to cyber attack, meaning a watch that’s disposed of improperly can easily be hacked.
Any workplace-mandated wearable should be disposed of properly when no longer in use. As these wearables function with flash memory, shredding and incinerating are likely the two best options to ensure complete data destruction.
Recreational smart devices and gaming consoles
Workplaces are increasingly becoming aware of employee stress and are taking steps to prevent burnout. One popular method is to provide a gaming console for recreational use during downtime. While this device usually more than satisfies employee morale, it presents yet another hard drive full of secure information. This contains – but is not limited to – saved network passwords and credit card information.
In addition, once-simple machines like thermostats have entered the IoT space. These are frequently left behind when the office changes location and are often not thought of because they are affixed to the wall and – up until recently – have never stored more information than the temperature.
Gaming hard drives should be degaussed and shredded. Smart thermostats are more tricky as they frequently cannot be taken apart easily. Companies should use caution: It is better to sanitize the whole device than potentially allow data to fall into the wrong hands.
Corporate cars are nothing new but smart cars are. Most smart cars interface directly with a smartphone, meaning that an employee’s address book and account settings can easily end up in a dashboard. The same goes for any employees who need to rent a car and then store information on that automobile. What was originally corporate data stored on a computer can easily move to an employee’s phone that then connects with the rental car.
Companies should be quick to institute policies around erasing car data and take what steps they can to procure storage media containing personal data when the vehicle is retired or sold. A blog article from IBM security researcher Charles Henderson recounts a story of car data that was never fully deleted, despite his best efforts. Upon selling his car, Chris deleted all personal data, rebooted the phonebook, disconnected every device link that he owned and severed the link to the garage door. Despite this extensive wipe, the car remained visible on his home management app.
Old devices have always been security hazards and thanks to the IoT, the number of devices is expanding dramatically. Locks, cameras, and even lights are quickly turning into additional data storehouses of confidential company information. These devices – particularly cameras designed to store hours of employee footage (which may contain them entering passwords, confidential reports, lock combinations) need to have their data handled with the utmost care. Companies should view every smart device as a potential threat. Employees need to be educated on proper data sanitization techniques for more than just computers and smartphones. As IoT technology becomes more permeating, cybersecurity awareness must rise to balance it.