Data disposal and cyber hygiene: Building a culture of security within your organization
Data breach episodes have been constantly rising with the number of data breach victims crossing 1 billion in the first half of 2024. A recent Data Breach Report 2023 by Verizon confirms that 74% of data breaches are due to human errors. Although cybersecurity awareness is at an all-time high in organizations still human error, malicious intent & privilege misuse seem to be a cause of most data breach incidents.
To build a defense against data breaches, organizations must go beyond the traditional methods of cyber hygiene and expand their domain to include policies governing data protection from creation to disposal of IT assets, safeguarding sensitive, confidential data at all stages. International Data Corporation (IDC) has predicted that in 2026, investments on cybersecurity tools, and services will reach approximately $300 billion. This indicates that cybersecurity is indeed considered a priority in organizations globally. So, why still the gap exists, and data breaches happen?
Why cyber hygiene matters?
Cyber hygiene is significant because it contributes to maintaining a strong organizational cybersecurity posture. Consistent adherence to these practices, protect data, networks, and systems from getting compromised due to malicious cyberattacks. Lack of proper cyber hygiene leads to data breach incidents, ransomware attacks, and compliance issues, causing loss of business, and reputational loss.
In fact, for organizations, compromise of business-critical information has even a greater risk because it means loss of revenue & goodwill. Client information and company data are some of the most important assets to the company that criminals can target. One point of vulnerability can risk a business’s partnerships and leave companies open to legal repercussions, so any cybersecurity strategy must include a strong focus on cyber hygiene.
What are the best cyber hygiene practices?
There are a few cyber hygiene practices that build the foundation of secure cybersecurity in an organization, which are as follows:
- Multi-factor authentication: Verifying the identity of a user with something like an OTP (one-time password) sent on email and a phone adds another layer of security so that only the rightful owners can gain access to the accounts. Similarly adding finger print verification on devices or face scans adds to protection.
- Authorized access control: Providing privileged rights to the users who need access to certain data helps in maintaining the security of sensitive information.
- Strong passwords: Keeping long, and uncommon passwords with a combination of numbers, letters, and special characters strengthens the security of profiles.
- Software updates: Updating software at regular intervals ensures that the latest security patches and bug fixes secure the installed software in the system.
- Secure data disposal: Implementation of guidelines for secure disposal of data entails rules on how data can be securely erased from devices, international standards that has to be followed (NIST 800-88) as well as providing training to employees on data erasure solutions. These protocols must be strictly followed by executives, managers, employees IT specialists, and any other person working for the company, and IT specialists should be the key persons informing other employees about these protocols.
How does data disposal benefit cyber hygiene?
The abovementioned cyber hygiene practices are a gist of the rules that lay the foundation of a strong cybersecurity posture. However, the connection between data disposal and cyber hygiene is often neglected. Secure data disposal is not only linked to proper cyber hygiene but also beneficial in strengthening the cybersecurity of an organization. Following are the benefits of disposing of data in the context of cyber hygiene:
- Secures business data: Consider a data leak situation in which the social security number of individuals got leaked in a cyberattack on an organization. Companies can face law suits, penalties for non-compliance to data protection laws & regulations like EU-GDPR, CCPA, GLBA, etc. Disposing data when it has served its purpose is important. Further inaccurate, inconsistent, incomplete, and irrelevant information is to be wiped for guaranteeing personally identifiable information (PII) of a user is not jeopardized even in the event of a data breach.
- Prevents data hoarding: Organizations store data to retrieve value from it in the future. This accumulation of data over a long period of time results in data hoarding. Proper cyber hygiene requires an organization to prioritize data minimization. Disposal of this redundant, obsolete, and trivial (ROT) data enables permanent removal of data that can become an easy target of both insider threats, and external attacks.
- Mitigating risks: Secure data erasure eliminates the risk of data recovery by unauthorized parties, or people with malicious intent. When retiring old IT assets, repurposing fully functional ones, or donating them, following secure media sanitization practices helps prevent leakage of sensitive information, and become compliant with state, federal, and global data protection laws and regulations. Organizations can timely dispose data with a secure, and certified data wiping tool like BitRaser Data Eraser that helps in meeting compliance requirements of data protection laws like EU-GDPR, CCPA, UK-DPA, HIPAA, etc.
How to build a culture of security in your organization?
The first step of any organization willing to make a security-first culture would be to include simple, clear, and transparent cyber hygiene practices in the company policies. The other steps could be as follows:
- Leader’s participation: Making a long-term change, such as a shift in the culture, is the responsibility of the leaders. There is no better way to build a security-first culture in the organization than from top to bottom. Leaders can embrace the cyber hygiene practices themselves, and lead by example. Whether it is in a one-on-one in-person discussion with an employee or via a virtual meeting in a group setting, leaders can share the cybersecurity principles that they swear by.
- Employee training: It is insufficient to upgrade system software regularly if the employees who will be the first ones to interact with these tools are not equipped enough to operate them. It is essential to train employees on the significance of embracing these security practices, and the correct way of abiding by them. Through interactive sessions that are free of technical jargon, the necessity of a strong cybersecurity posture can be communicated.
- Regular audits: Apart from the inclusion of security policies, and imparting knowledge to the employees, assessing the efficiency of these policies, and practices can guide future security decisions. Regular audits can be one of the ways to figure out if the formed policies have been appropriately implemented on the ground, and if they have been helpful in bringing out the desired results.
According to Microsoft Digital Defense Report 2022, even the basic cyber hygiene practices can help in preventing 98% of cyberattacks. However, most of the data breaches happen because of the negligence of these fundamental security practices. Embracing cybersecurity as a part of the culture can change the way in which the organization views security by not only protecting data that is not stored but also erasing data that fulfills no purpose.