Category: Blog

Top 4 Ways to Outsmart a Phishing Scam

March 21, 2022 at 6:37 pm by Amanda Canale

Do you have what it takes to outsmart a phishing scam? Let’s find out!

First, a bit about phishing: for those that may not be familiar with phishing, phishing is a phrase used to describe a cyberattack method via email. An email is sent to an individual with the intention of hacking into the recipients’ email, computer, or network. 

Typically, the phishing email will ask the recipient to perform some form of task, whether it is to open an attachment, click on a link, send gift card codes, or send along sensitive information. These links and attachments will be malware-infected and allow the hackers to gain access to your computer, network, and more, and can have detrimental consequences. 

It is important to note that phishing is not a new cyberattack tactic.  Phishing has been one of the most common attack methods and has only become increasingly more complex the further we get into the Digital Age. That said, upgrading your cybersecurity software and educating your staff how to spot and report phishing emails are just two ways to better protect you and your organization’s data. And speaking of educating your staff, read on to learn the top four ways you and your team can spot a phishing email. 

SOX data destruction

Red Flag #1: An Urgent Request for Login Information, Sensitive Information, or Money

Today, it is increasingly easy to get in touch with one another; there’s the telephone, text message, FaceTime, Microsoft Teams chat, Zoom call, calendar invite, and more. It’s safe to say that if your supervisor (or any member of upper management) needs to speak with you on an urgent matter, they’re going to find a way to contact you directly. If an email allegedly coming from your boss or CEO is threatening negative consequences, or even termination, if you do not complete their task, it’s probably a phish. This is a type of scare tactic used to rush the recipient into getting their request completed as soon as possible.

In addition (and it should be common sense), if your boss needs you to send her login information or sensitive information, take a moment and ask yourself, “if this person were really your boss, wouldn’t she have her own access to that information and logins, especially if she is in upper management?” We’re not saying you should ignore every request for information from upper management, but if the request seems a little fishy (pun intended), take a moment to give the sender a quick call or follow up with them in a separate email (using the email address you know belongs to them) to confirm their request.

The same should go for any request for money or gift card activation codes. A colleague, regardless of title and status, should not be requesting monetary items from you via work emails. This is usually a clear sign of a phish and like we suggested above, take a moment to follow up with that person in real time to confirm their request. 

Red Flag #2: Misspelled Name and/or Email Address (When Impersonating Someone You Know)

Now, these attempts don’t come from just any John Doe; hackers do their research to make sure the “sender” looks like it is quite literally coming from your supervisor, company president, client, or…pretty much anyone you know based on social platforms and public company directories.

That being said, it’s now time to break out your magnifying glass and bifocals because we’re moving on to proofreading the urgent request with a fine-tooth comb. Some phishers are lazy so it may be fairly easy to spot a phish simply by doing an in-depth evaluation at the spelling of the sender’s email address (and even the spelling of anyone’s names that are mentioned). 

Since it is not possible for two email accounts to exist under the same domain, hackers have to get creative with the spelling of email addresses when impersonating someone. A quick scan may miss the typos and misspellings so it’s best to take the extra few seconds to make sure the sender is using the correct domain and spelling of their name. Also be on the lookout for the number 1 replacing an  L or an I and other such crafty substitutions.

data-theft

Red Flag #3: Bad Grammar and Overall Spelling Mistakes

Most of the time, phishing scams do not come from a particular person but rather a bot or a spell-check tool that doesn’t always translate well. Be on the lookout for major spelling and/or grammar mistakes, and this red flag will be an easy one to spot.

Red Flag #4: Illegitimate Links

Whatever you do, do not click the blue link! 

One tricky way phishers hook their victims is by using illegitimate links. One can avoid activating any malware-infested links by simply hovering their cursor over the link for a second or two to see a preview of the URL. If the preview is anything different than what the link says it’s supposed to be, then report it to your IT manager for a more in-depth evaluation.

To summarize, sometimes all it takes is a few extra seconds to carefully read over requests (and maybe a “better to be safe than sorry” forward to your IT department) to spot a phish. As a final note, we want to stress that it takes more than a simple spellcheck to keep you and your organization’s information secure. Upgrade your security software, implement two-step verification logins, train your employees, and collaborate with your IT department to find other security methods you can take.

Shredding Security Levels

January 20, 2022 at 8:17 pm by Amanda Canale

When it comes to the destruction of end-of-life media in the US market, there are very strict guidelines and laws that address how classified, top secret, and controlled unclassified information (CUI) should be disposed and securely destroyed, determined by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). For example, the NSA mandates specific particle sizes for top secret and/or classified data that resides on all forms of media, and evaluates and lists end-of-life information destruction solutions for this purpose. For a list of media destructions solutions evaluated and listed by the NSA, click here.

However, most other guidelines and laws that apply to other types of government and commercial information do not provide specific destruction particle sizes to insure the most effective solution. Most simply indicate that media should be destroyed with the use of a shredder or other destruction solution. In industries like healthcare, finance, banking, education, and more, the importance of the proper disposal of end-of life media is better defined; however, the particle size specifics tend to be left open to interpretation. 

DIN Standards, otherwise known as Deutsches Institut für Normung, originated at the German Institute for Standardization, a non-government organization that serves as the national standard when it comes to improving the rationalization, safety, environmental protection, and quality assurance between the government and the public. While often not mandated, DIN guidelines serve as a widely accepted global standard that also provides clarity to vague end-of-life information destruction requirements.

Enter DIN 66399. These standards provide destruction particle size guidelines for information that resides on a wide range of media and that specifies protection categories. 

Q: What is the DIN Standard 66399?

A: DIN 66399 has become a globally accepted security standard for the shredding or destruction of all types of data media.

Q: Who is it for?

A: Sets out responsibilities regarding the protective security required for commercial organizations, government departments, and individuals to help make an informed choice of the correct equipment to guarantee all levels of secure destruction.

Introducing the Three Protection Categories

Class 1: for the normal protection required for internal data where disclosure would have a negative impact on a company or a risk of identity theft of an individual.

Class 2: for the higher protection of confidential data where disclosure would have a considerably negative effect or could breach legal obligations of a company; or offer a risk of adverse social or financial standing of an individual.

Class 3: for very high protection for confidential and top secret data which if disclosed could have terminal consequences for a company or government entity, and have a health and safety or personal freedom risk to individuals.

However, at the end of the day these regulations and protection categories are guidelines. Businesses and organizations should always err on the side of caution when it comes to the destruction of end-of-life data. It’s important to remember that a data breach is a data breach no matter the level of impact…and no matter when it takes place. There are no statute of limitations when it comes to compromised data: just because the information wasn’t misused then, doesn’t mean it won’t happen in the future. Therefore it is always best practice to adhere to the above regulations when it comes to your data destruction.

Six Media Categories

The DIN Association also defines six media format categories on where information may reside. They are as follows:

  • P: Paper based products
  • F: Film based products including micro-film, microfiche, slides, etc.
  • O: Optical media including CDs, DVDs, and Blu-ray Disks 
  • T: Magnetic data media like floppy discs, ID cards, magnetic tapes and cassettes, etc.
  • H: Hard drives from computers, laptops, and external devices
  • E: Electronic data media like memory sticks, cards, solid state drives, mobile phones

Seven Specific Security Levels 

Example: P = Paper media requirements

Protection Category

Media Paper

Security Level

Security Level Particle Size Requirement

Class 1

P

1

12mm strips or maximum particle surface area of 2,000mm²

Class 1

P

2

6mm strips or maximum particle surface area of 800mm²

Class 1

P

3

2mm strips or maximum particle surface area of 320mm²

Class 2

P

4

Maximum cross-cut particle surface area of 160mm² with a maximum strip width of 6mm = 6 x 25mm

Class 2

P

5

Maximum cross-cut particle surface area of 30mm² with a maximum strip width of 2mm = 2 x 15mm

Class 3

P

6

Maximum cross-cut particle surface area of 10mm² with a maximum strip width of 1mm = 1 x 10mm

Class 3

P

7

Maximum cross-cut particle surface area of 5mm² with a maximum strip width of 1mm = 1 x 5mm

Maximum Shred Size for Other Media

Class

Film

Max

Optical

Max

Tape

Max

Magnetic

Max

Electronic

Max

Class 1

F-1

160mm²

O-1

2000mm²

T-1

Inoperable

H-1

Inoperable

E-1

Inoperable

F-2

30mm²

O-2

800mm²

T-2

Split

H-2

Damaged

E-2

Split

F-3

10mm²

0-3

160mm²

T-3

2000mm²

H-3

Deformed

E-3

160mm²

Class 2

F-4

2.5mm²

0-4

30mm²

T-4

320mm²

H-4

2000mm²

E-4

30mm²

F-5

1mm²

0-5

10mm²

T-5

160mm²

H-5

320mm²

E-5

10mm²

Class 3

F-6

0.5mm²

O-6

5mm²

T-6

10mm²

H-6

160mm²

E-6

1mm²

F-7

0.2mm²

O-7

0.2mm²

T-7

2.5mm²

H-7

10mm²

E-7

0.5mm²

Q: How does SEM meet these requirements?

A: As a supplier of information destruction systems for the past 50 years, SEM is a leader in providing solutions to meet all destruction levels outlined in the DIN 66399 guidelines. From machines that can shred paper and optical disks to hard drives and data tapes (and more!), SEM has the answer.

Data Privacy Day 2022

January 18, 2022 at 1:59 pm by Amanda Canale

Every year on 28 January, the National Cybersecurity Alliance (NCA) creates an informative and engaging social media campaign in an effort to bring awareness to the general public about data security and protection best practices. The international campaign is called Data Privacy Day (DPD), and heavily encourages people to comply with privacy laws and regulations, but also serves to educate people on how to protect and manage their personally identifiable information (PII).

Even in the age of Big Media, millions of people are unaware of the various ways their PII is being used, collected, shared, and even sold.  The annual campaign is targeted towards anyone with any sort of online presence. This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns. 

In 2022, the NCA has expanded Data Privacy Day into a week-long initiative called Data Privacy Week. The week, lasting from 24-28 January, is filled with various steps, goals, and webinars individuals and organizations alike can make and attend as a way of encouraging transparency about how their customer data is being used. 

You can find a full list of Data Privacy Week events here on the NCA’s website. Below, we break down the major takeaways both individuals and organizations should take from the week-long event.

Individual Level: Keep It Private

When it comes to keeping our PII and personal health information (PHI) safe, it is crucial that we follow data security and privacy best practices as that information is extremely valuable to hackers and thieves. Certain information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live. Remember, identity theft is not a joke!

If it helps to understand the criticality of keeping your information safe, imagine each piece of identifying information (whether it be your IP address or your credit card statements) as having a monetary value. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is approximately $3.86 million. While most of these costs are from business reputation maintenance and regulatory fines, the costs can still add up when it’s your PII on the line. (Read more in our blog here.) You wouldn’t willingly give up money from your personal wallet, so be sure not to do the same with your information.

NSC Recommended Steps to Take:

Understand the privacy/convenience tradeoff

Today, before you can even use most apps, they will ask you for access to personal information ranging from geographic location to contacts and photo albums. By allowing access to these very personal and private forms of information, you may be offering up much more than necessary. For example, why does a mindless gaming app need access to my contacts and location in order for me to play? It is best to make informed decisions on what you should do: weigh whether or not the information they are asking for is really necessary, how the benefits weigh against the tradeoff, and if you really need the app at all. 

Manage your privacy

Once you deem an app worthy of your time and phone storage, take an extra moment or two to review the app’s privacy and security settings, and adjust them to your comfort level as necessary. You can use the NCA’s Manage Your Privacy Settings page as a guideline on how you can check your favorite app’s settings. 

Protect your data

While data privacy and data security are not interchangeable, they are in fact a packaged deal. Use best practices such as creating long and intricate passwords, utilizing multi-factor authentication when possible, and using a password manager to keep your passwords secure and up to date. 

Organization Level: Respect Privacy

According to a recent Pew Research Center study, approximately 79% of adults in the US are concerned about how companies use their personal data. As an organization, the privacy of your consumers’ and customers’ data should be your utmost concern. By respecting their data and being transparent, an organization instills trust which will in turn enhance reputations and company growth. 

NSC Recommended Steps to Take:

Conduct an assessment

Regardless of if your company operates locally, nationally, or globally, it is important to understand the privacy laws and regulations of the area in which your business operates and to ensure they are being followed. In addition, evaluate your security measures, access to individuals’ personal information, and screen any outside partners and vendors as well to ensure they are not misusing your consumers’ information. 

Adopt a privacy framework

Find a privacy framework that works best for you, your organization, and your consumers to help mitigate potential risk and implement a privacy culture within your organization. The NCA recommends reviewing the following frameworks to start: NIST Privacy Framework, AICPA Privacy Management Framework, and ISO/IEC 27701 – International Standard for Privacy Information Management.

Educate employees

By creating an office culture surrounded by data privacy and data security, you are educating your employees on not only how to keep their personal information safe but how to better serve your consumers and their information. Engage staff by asking them how they view your current privacy culture, implement mandatory training and webinars, and consistently assess your current standards. 

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And lastly, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — securely destroy it to prevent leaks and data breaches down the road.

 

How to — and How to NOT — Destroy SSDs at End-of-Life

November 24, 2021 at 4:01 pm by Amanda Canale

Since the first days of chat message boards and social media profiles, we’ve all heard the saying, “don’t put all of your information online because it never truly goes away.” The same can be said for end-of-life data and information on solid state drives (SSDs): once information is on there, it’s next to impossible to fully remove. Aside from implementing a secure, in-house destruction plan, there are numerous methods we do not recommend using. Let’s break some of those down.

Degaussing

A major misconception when it comes to data destruction is that destruction methods for hard disk drives (HDDs) and solid state drives (SSDs) are interchangeable. We hate to burst your bubble but…that’s false! Degaussing is simply not an option for the destruction of end-of-life data on SSDs. Solid state drives and optical media do not require it as part of the destruction process because they do not have an inner magnetic, rotational platter that can be scrambled like HDDs do.

However, crushing and/or shredding is recommended. Since SSDs can store vast amounts of information on such small chips, even tiny, intact fragments can hold a plethora of sensitive or private data. This means that every single SSD chip must be properly destroyed and done so in a machine specifically designed to destroy solid state media and produce particles small enough to ensure that no data can be retrieved. 

Recycling and/or Throwing Away

While we always support taking the greener route, trying to recycle your end-of-life drives cannot be done securely and is not recommended. Unfortunately, the majority of our waste and recycling ends up in landfills and dumpsters which are literal gold mines for hackers and thieves. 

In addition, it is often reported that on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. To top it off, recycling and waste is hardly ever transported securely, making it easy for people to intercept and have access to your most sensitive information, putting yourself at even more risk of a possible breach.

Deleting and/or Overwriting

While methods such as cryptographic erasure and data erasure would allow the drive to be used again, it is not a secure and foolproof destruction. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten. 

ITAD

ITADs, or information technology asset disposition companies, are third-party vendors that sanitize and destroy end-of-life data and drives. While the appeal of these types of companies can be quite attractive, we at SEM do not recommend utilizing these types of companies when disposing of your end-of-life data. While there are some reputable ITAD and data sanitization companies out there, the risk may not be worth the convenience. Security risks can be unpredictable and potentially catastrophic as it can be far too easy for ITAD vendors to misuse, mishandle, and misplace drives when in transportation, destruction, or disposal. It has also been reported that some vendors sell end-of-life devices and their sensitive information to online third parties.

Other (Un)Worthy Methods

  • Running over SSDs with your car
  • Roasting your SSDs over a fire
  • Giving your SSDs a swimming lesson
  • Physical destruction with a blunt object

By physically destroying SSDs with an appropriate shredder or disintegrator, companies are choosing the most secure method of data destruction as this is the only way to be certain that the end-of-life data has been properly destroyed. SEM SSD crushers are ideal for lower volume data center destruction of solid state media, while our shredders are recommended for higher volume destruction. SEM SSD disintegrators provide the most complete chip destruction and the highest level of security, destroying SSDs and chips to the NSA’s mandated 2mm final particle.

What You Need to Know About Cybersecurity Awareness Month

October 15, 2021 at 3:15 pm by Amanda Canale

In 2004, the National Cyber Security Alliance (NCSA) and the US Department of Homeland Security launched Cybersecurity Awareness Month in an effort to heavily encourage, educate, and assist citizens in staying safe online and how to protect their information. In addition to this annual month-long campaign, the NCSA also runs a campaign every January 28 called Data Privacy Day (but that’s a story for a different blog).

Every year in October, the NCSA creates an engaging and informative campaign in order to raise awareness about cybersecurity. This year’s theme is “Do Your Part. #BeCyberSmart” and has a subsequent theme for each week during the month of October. 

Week 1 – Be Cyber Smart

Knowing the basics of cybersecurity by creating strong passwords, multi-factor authentication methods, secure data backup options, and keeping up to date with software updates are only going to further protect you from cyberattacks. Some of these basic “cyber life skills” also include knowing the proper destruction method your data requires, how to properly destroy paper documents and hard drives, and memorizing record retention schedules.

Unfortunately, even knowing the basics won’t always be enough to prevent ourselves from getting in our own way. One of our blogs details the top five human error blind spots and offers other helpful basic tips to help you and your team become more #CyberSmart.

Week 2 – Fight the Phish

We’re all humans and we all make mistakes. It’s inevitable! However, not all are without consequences. According to a 2019 study, more than 80% of reported data security incidents were caused by phishing attacks. By interacting with suspicious email links, attachments, and senders, your risk of falling victim of a phishing scam rises. In today’s modern age, hackers and thieves have become even more creative when it comes to these kinds of scams. If an email or email address looks a bit off to you, it’s always best to either ignore or send to your IT department to investigate.

Week 3 – Explore. Experience. Share.

This week is led by the National Initiative for Cybersecurity Education (NICE), an organization dedicated to promoting careers in the cybersecurity industry. Their messaging ranges from showcasing resources and programs (especially to encourage participation in more marginalized groups) to highlighting the demand for jobs in this field. According to their website, the Department of Labor predicts that IT and cybersecurity jobs will “be among the fastest growing and best paying jobs over the next decade.”

Week 4 – Cybersecurity First

Regardless of the kind of business or organization, having proper cybersecurity protocols and methods in place (in addition to proper in-house end-of-life data destruction!) should always be a priority. This final week of Cybersecurity Awareness Month is dedicated to educating individuals on making cybersecurity a top priority and not an afterthought. Data breaches are, unfortunately, no longer a possibility of “if” but “when.” 

IBM and Ponemon Institute reported that the cost of an average data breach in 2020 was approximately $3.86 million, a staggering 10% rise over the past five years. These costs can range anywhere from money lost and reputation maintenance to regulatory fines and ransomware, not to mention other direct and indirect costs. When comparing the cost of one of SEM’s Model 0101 at $5,066 (and an average lifespan of ten years) to a possible data breach resulting in millions of dollars, the right answer should be simple: by purchasing in-house end-of-life data destruction equipment, your company is making the most cost-effective, safest, and securest decision. The NCSA and everyone at SEM understand that some companies may want to cut corners and save costs; however, we strongly agree that cybersecurity should come first and foremost, and that it is worth every penny in the long run.

To find out more about Cybersecurity Awareness Month, visit their website here.

Are Printers and Copiers Stealing Your Information?

August 2, 2021 at 6:15 pm by Amanda Canale

Copiers, printers, and document scanners are just as much office staples as any other piece of equipment (aside from, probably, an actual stapler). While these kinds of devices are not programmed to typically store any sensitive data, they may be harboring more data than you think. Everything from new employee records, tax forms, HR documents, and other kinds of personally identifiable information (PII) and unclassified or classified information are just ticking time bombs. In this blog, we discuss how hackers can tap into your copiers and scanners and steal your private information.

Since approximately 2002, most digital copiers and printers use hard drives that store and manage all the data, documents, and images you are copying, printing, and scanning. Mix that with their web-based interfaces, and now your office serves as the perfect cocktail to lure in online hackers. (In layman’s terms, this means that your copies are essentially giant computers and vulnerable to all sorts of cyber-attacks!)

Most digital copier manufacturers offer some sort of data security feature that involves encryption and/or overwriting to ensure the safety of whatever information you are printing, copying, or scanning. So hopefully, your office’s IT department has already either installed the software to protect you and your data from cyber-attacks or has a system in place to securely sanitize that data. It’s important to discuss your device’s security features with your IT department since each device is different; you should know whether your device’s memory is automatically wiped, needs to be manually wiped on a preset schedule, or another option altogether.  Depending on what those features entail, a schedule should be set in place to ensure a routine is followed.

Some practices you and your team can integrate into your routine are using authentication or additional verification methods that include a mix of a password, card swipe, biometric information, or other similar methods. By implementing more preventive measures, you can help lower your risk of cyber-attacks.

Remember when we said that copiers are essentially giant computers? Well, that also means that their hard drives work the same as computer drives in that overwriting a drive is vastly different than reformatting or deleting. According to the Federal Trade Commission (FTC), simply deleting the data or reformatting the copier’s hard drive “doesn’t actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files: The data remains and may be recovered through a variety of utility software programs.” Like other hard disk drives, methods such as cryptographic erasure and data erasure would allow the drive to be used again, but these are not secure and foolproof destruction methods. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten. (You can read more about how not to destroy hard drives in our previous blog post.)

When it comes time to destroy your copier’s end-of-life hard drives, it is always best practice to conduct destruction and degaussing in-house. To ensure the secure destruction of your data, SEM recommends always following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to physical destruction in a shredder or crusher.

By degaussing the drive prior to physical destruction, organizations are choosing the most secure method of data destruction per NSA guidelines as this is the only way to be certain that the end-of-life data has been properly destroyed. When magnetic media is placed in one of our degaussers, powerful magnetic fields essentially scramble and sanitize the magnetic tapes and drives, eliminating all sensitive information from the device. This crucial step securely renders the drive completely inoperable. Once the device has been degaussed, it should be physically destroyed. This two-step method of degaussing and physical destruction — mandated by the NSA for classified media — is without a doubt the most secure method of sanitization for magnetic media such as HDDs.

Solid state drives (SSDs) and optical media cannot be degaussed, so it is critical that each and every chip on a solid state board is destroyed in order to properly sanitize the data. Depending on media type,  crushing, shredding, or disintegrating is recommended. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM, we have solutions to securely destroy any type of media on any type of device, ensuring your end-of-life data stays where it belongs: at the end of its life.

 

Your Phone Knows What You Did Last Summer: 8 Places Your Data is Living That May Surprise You

July 6, 2021 at 8:00 am by Amanda Canale

According to a 2018 study by MightySignal, there are more than 1,000 different mobile apps available that contain some sort of location-sharing and tracking code. These codes are typically used to gather information on the public’s shopping patterns to help developers make money on targeted ads. Unfortunately, this isn’t the only kind of data some of them are gathering. In this blog, we break down eight different places your data is living that may surprise you.

Dating Sites/Apps

We all want to find love, and today with a plethora of dating apps available, it’s never been easier. However, you may be telling potential partners and app developers more than what’s in your dating profile. Apps such as Tinder and Hinge request and require access to your location in order to find potential matches in your general area.

While filling out your likes and dislikes, your location, and what you do for work may be normal things to share with your dates, putting them on your public profile for all potential suitors to see can potentially cause more harm than good. Not to mention, a large chunk of dating apps ranging from Tinder and Plenty of Fish to Hinge and OKCupid are owned by one single company: Match Group. Match Group’s numerous apps reserve the right to share data with one another, even if you’re only using one of their apps.

Photo Editing Apps

Whether it’s adding bunny ears, erasing a blemish, or making your selfie look like it was taken on a vintage Polaroid, everyone loves a good photo filter. However, most photo filter apps require, or at the very least request, access to your entire camera roll rather than the one photo you want to edit. (Remember the saying, “a picture tells a thousand words?” Imagine what kind of personal information your entire camera roll can share!) In addition, many photo editing apps also link to social media apps, not only making way for a seamless snap, edit, and post, but securing a direct access link to all your social media profiles for potential hackers.

Young woman working with a laptop. Female freelancer connecting to internet via computer. Blogger or journalist writing new article. Close-up of female hands typing on keyboard

Weather Apps

Rain or shine, there’s always a small risk your data could be leaked. While you’re not at a moderate or high risk of your data being stolen from your favorite weather app, your location and location history is still being tracked and can be collected from other apps if they are linked together.

Social Media Accounts

Since the early 2000s, the popularity of social media profiles has grown exponentially, with the most popular ones being Facebook, Twitter, Instagram, and Snapchat. It’s now commonplace in our society for social media users to document their entire lives online in the form of vlogs, blogs, and TikToks, meaning there’s less and less of our lives that aren’t posted online. As more people share more and more personal information, the more push there is for stricter user privacy laws and regulations.

It’s always best practice to not share too much information online that can be personally identifying, such as your address, personal contact information, work location, etc. Utilize your social media accounts’ and mobile devices’ privacy settings, and remove any contact information and data from the social media sites you no longer use.

Gaming Apps

In 2018, a COPPA (Children’s Online Privacy Protection Act) study found that in approximately 20% of children’s apps, developers included code that collected and distributed personally identifiable information (PII) without confirming parental consent. The information often gathered by these apps range from the child’s name and email address (or parent’s depending on whose device is being used), home and mailing address, and parent information.

Mobile Wallets

Mobile wallets are a hassle-free way to pay for groceries, gifts, and more without having to dig through your wallet or purse to find your credit cards. It’s convenient being able to store all of your payment options in one place, just make sure to protect it when it comes to the safety of your digital wallet. Be sure to enable your phone’s security features, protect your phone and digital wallet with a password, fingerprint, or other authentication method, and avoid using public Wi-Fi when accessing sensitive data.

data-theft

Rental Cars (Smart Phone Connection)

You may want to rethink syncing your driving playlist or connecting your GPS to your rental car on your next road trip. If you connect to your rental car via Bluetooth, your rental car can store previous locations, phone number, call log, and even contacts, making it much easier for the next renter to hack your information. Make sure you check your permissions, avoid connecting your mobile device to the car’s infotainment system, and delete any information from the system before returning the car.

Old Laptops and Drives

By now, we all know that simply erasing information from a laptop, tablet, or drive is not enough to keep your information safe. When erasing data off a drive, it’s possible that unencrypted and encrypted information can linger and become fair game for hackers. While methods such as cryptographic and data erasure would allow the drive to be used again, it is not a secure and foolproof data destruction method. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten.

Unfortunately, as we get further into the Digital Age, the more personal information we are knowingly (and unknowingly) sharing, the more information developers are collecting about us, and the higher the chances are of a potential data breach. While many apps, developers, and businesses claim to only be interested in tracking the public’s patterns and not identities, the information they are gathering can technically be described as personally identifiable (PII). Tracking an individual’s location as they go to work, the gym, home, and even their doctor’s office can easily lead to identifying individuals. The average app, whether Android or Apple, has approximately six different data trackers embedded into it while some applications request access to more information than what is needed.

We understand that not every app or rental car company is trying to steal your data; apps that track jogging routes or utilize the option to share your location with your loved ones serve legitimate purposes. We at SEM stress that individuals should opt for the “Ask App not to Track” option in their device’s personal settings, only share their information with legitimate apps, and be mindful about where they offer up their information.

To sanitize your end-of-life laptops and drives, we recommend revisiting some of our old blogs on hard drive destruction misconceptions and ways to NOT destroy your drives for more information. Regardless of the catalyst for your drive destruction, it is always best practice to conduct destruction and degaussing in-house and to follow NSA standards. At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation.

Top 5 Human Errors That Could Risk A Data Breach

June 3, 2021 at 5:06 pm by Amanda Canale

We’re all human. We all make mistakes. It’s inevitable! Unfortunately, there are times when our mistakes have consequences. Sometimes those consequences are small and sometimes…they’re not as easy to sweep under the rug. In this blog, we break down the top 5 ways human error can lead to a potential data breach.

Weak Passwords

According to a 2020 study by Verizon Data Breach Investigations, approximately 81% of all data breaches are caused by cybercriminals easily hacking accounts that are so-called “protected” by weak passwords. By not adhering to password guidelines, failing to offer password training to your team, and not implementing multi-factor authentication procedures, businesses continue to put their cybersecurity at risk.

With that being said, what exactly constitutes as a weak password? Weak passwords are any sort of phrase or term that is common, short, or something predictable such as the owner’s name, birthday, or the literal word, “password.” Instead, use a longer password made up of a mix of upper and lowercase letters, numbers, and symbols to help keep your password and data safe. Essentially, the more complex the password, the harder it is for cybercriminals to hack your information.

data-theft

Lack of Cybersecurity Knowledge

In the modern digital age, the world of cybersecurity has only become more intricate and advanced. Bad news? Most of us need to step up our game when it comes to protecting our data. Good news? You don’t have to be an IT wizard to do so!

Here are just a few minor ways to help combat a lack of cybersecurity knowledge:

  • Do not use public Wi-Fi without a VPN when accessing sensitive data such as bank accounts, work emails, etc. By not using a secure network or VPN, it’s much easier for hackers to get their hands on your information.
  • Interacting with suspicious email links and attachments. Hackers and thieves have only become more creative when it comes to phishing emails. If an email address is a letter or two off or if that email from your boss asking you to purchase gift cards to send them doesn’t necessarily sound like them, it’s always best to either ignore or send to your IT department to investigate.
  • Using insecure devices. Whether it is an external hard drive or USB stick, be wary of using just any random external device that could potentially be carrying malicious code designed to steal your information.

Mishandling of Data When Transporting

In May 2006, the U.S. Department of Veteran Affairs announced that a data breach had compromised the records of 26.5 million veterans. Among the private and sensitive information that was stolen were names, dates of birth, and Social Security numbers in addition to other personally identifiable information (PII). The breach was found to be caused by a Veteran Affairs data analyst who had taken computer equipment home that contained the unencrypted information of all 26.5 million affected veterans. The laptop and hard drive were then stolen from the analyst’s home during a burglary which ultimately led to the breach.

Another example of insecure transportation is the 2011 breach of military health program TRICARE. The breach occurred when a TRICARE employee was tasked with transporting devices carrying the healthcare information of 4.9 million subscribers to an off-site storage facility as part of the company’s routine backup procedure, and the employee’s car was subsequently burglarized.

While we’re sure neither one of the employees mentioned above had intended to have their home and vehicle burglarized, unfortunately, that is a risk we all face. It’s the unpredictability of others that we must keep in mind when transporting physical media. To read more about the importance of storing physical media that is awaiting destruction, read one of our previous blogs.

data-privacy-day

Using Outdated/Unauthorized Software

Rule of thumb: combat cybercriminal efforts by making sure your software is always up to date and is reputable. It is far too easy for cybercriminals to compromise sensitive data when your software is not up to date. Check with your business’s IT department to make sure you are not ignoring any updates or downloading unauthorized software. It’s also important to note that one should never disable their software’s security features, especially if it is on a work-issued computer or laptop. Your online shopping can wait until you are in the safety of your own protected network and home.

Third-Party Vendors

As we’ve stated in previous blogs, by introducing third party data sanitization vendors into your end-of-life destruction procedure, you significantly increase the chain of custody, and subsequently face a far higher risk of data breaches. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties!

We understand that while there are reputable data sanitization vendors out there, it can be far too easy for ITAD (IT asset disposition) vendors to misuse, mishandle, and misplace drives when in transportation, during destruction, and disposal. (Remember when financial institution Morgan Stanley announced that an ITAD vendor had misplaced computer equipment storing customers’ personally identifiable information?)

At SEM, we suggest getting rid of ITADs altogether if they are part of your end-of-life destruction procedure simply because of how unpredictable they can be, and the potentially catastrophic consequences should a breach occur.

A common denominator in the data breaches above is not only human error but the misuse during storing and transporting of drives containing sensitive information. We understand that destruction does not always happen immediately after the drives and data are deemed end-of-life. Businesses may not have the proper equipment in-house or budget to outsource destruction, but it is this reason why we at SEM stress that precautions and protocols should be in place to securely store and protect all data once it meets its end-of-life.

Following all these tips can help protect your most sensitive information. As always, it is important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of various high-quality NSA listed/CUI and unclassified degaussers, IT crushers, and enterprise IT shredders to meet any regulation when the time comes to destroy your end-of-life data. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your personal or regulated destruction needs.

HAMR vs. MAMR: What’s the Difference?

May 14, 2021 at 5:59 pm by Amanda Canale

Before we get into the nitty gritty differences between HAMR and MAMR and what they are, we want to give a quick refresher on hard disk drives (HDDs) and solid state drives (SSDs).

HDDs

Hard disk drives (HDDs) are a type of data storage device that use rotating disks, platters, and magnetic material to store and retrieve data. HDDs also contain actuator arms that read and write data while the rotational platters spin. While HDDs are cheaper and can store more data than their counterpart the SSD, they are slower and susceptible to data loss when interacting with magnets due to their internal magnetic material.

When it comes to destroying end-of-life HDDs, SEM always suggests best practices per the National Security Agency (NSA). Depending on the information stored on HDDs, they should always be destroyed either by shredding or crushing; however, if a drive contains classified information, degaussing prior to destroying the drive is required. Degaussing is the process by which a drive’s magnetic field is essentially scrambled, making the data and drive completely inoperable. Once degaussed, the drive should then be crushed or shredded by an NSA approved crusher or shredder. Combined, this is by far the most secure method of data sanitization for HDDs.

HDD-degauss

SSDs

Solid state drives (SSDs) are another type of data storage device that store data using integrated circuits. Unlike HDDs, SSDs do not include an actuator head and instead store information into cells that can be retrieved instantaneously. SSDs are also quite faster than HDDs, causing computers to run much more quickly. The downside? SSDs store less data per drive and can be significantly more expensive.

Since SSDs do not contain magnets, they cannot be degaussed. Therefore, they must be destroyed by a machine that is SSD-specific given the necessary final particle size. The final particle size is crucial to ensuring that none of your SSDs’ information is left behind. Since SSDs do not contain rotational platters, any small chip that is not destroyed can potentially contain proprietary information and get into the wrong hands. The NSA requires that end-of-life SSDs containing classified information be destroyed to a final particle size of 2mm or less. Drives containing other kinds of information can be destroyed in an SSD disintegrator, shredder, or crusher.

Now let’s get to it! Technical lingo aside, the two main techniques used to increase a hard disk drive’s capacity are adding more platters to the drive in order to increase its density, or adding more bits (or pieces of data) on a disk. Heat-assisted magnetic recording (HAMR) and microwave-assisted magnetic recording (MAMR) are just two steps in the evolutionary trajectory of data storage management.

HAMR

Since the media must be heated as data is being written, heat-assisted magnetic recording (HAMR) uses laser-powered heat to the drive’s grains, reducing the drive’s magnetic hardness. This process allows the drive to flip its magnetic polarity, and therefore bit value, through the temperature changes. This method uses recording material that is less prone to thermal instability, leading to smaller recording bits in HDDs, and greater stability and reliability of media.

MAMR

Microwave-assisted magnetic recording (MAMR) uses a different technique to essentially accomplish the same goal. Instead of laser-powered heat, MAMR uses 20-40 GHz frequencies to bombard the HDDs disk platter with circular microwave fields. During this method, the drive’s actuator head uses a spin-torque oscillator that creates an electromagnetic field near the write pole at a lower magnetic field that enables denser and more reliable drives. Unlike HAMR, MAMR can flip the domain’s magnetic polarity much more easily.

While both methods serve essentially the same purpose of lowering magnetic hardness to increase storage capacity, some experts cannot seem to agree which is more sustainable. While MAMR technology is expected to increase an HDD’s capacity from 4 TBpsi to approximately 40 TB, HAMR can only increase its capacity from 2 TBpsi to between 20 and 40 TB. HAMR supporters claim that the laser technology allows drives to spin for much longer and with fewer issues, whereas MAMR supporters claim that high heat actually causes a drive to burnout faster.

It is important to note that HAMR drives cannot be degaussed at this point. Conversely, MAMR drives CAN be degaussed; that said, a question remains on the required gauss level to fully sanitize MAMR drives. Existing degausser technology is such that residual data remains on degaussed MAMR drives even when using a 20,000 gauss NSA listed degausser. It is therefore accepted within the industry that existing NSA listed degaussers will be insufficient to sanitize HAMR and MAMR drives and that these drives will need to be either disintegrated to 2mm or incinerated at end-of-life.

Applying to College: What Happens to Your PII Once You’re Accepted?

April 27, 2021 at 1:50 pm by SEM

College applications. For a lot of people, just reading those two words can bring back a swarm of flashbacks of awkward college essays, endless SAT prep, and countless hours spent anxiously awaiting that giant envelope announcing your acceptance into your dream school. While this time can be exciting for many people, it’s also a time spent filling out application after application detailing all your personally identifiable information (PII). But what happens to those applications, and that information once you’ve been accepted?

Colleges and universities are bound by a federal law called “The Family Educational Rights and Privacy Act” (FERPA), which ensures that the information provided by and in relation to students is kept private. The law also states that if the information provided is no longer needed, that it must be discarded in a manner that securely protects the information.

For context, FERPA is administered by the Family Compliance Office in the US Department of Education and applies to all educational agencies and institutions that receive funding under any program administered by the department. Private schools at the elementary and secondary levels generally do not receive funding and are therefore not subject to FERPA. Private post-secondary institutions, however, generally do receive funding and are therefore subject to follow all FERPA guidelines and regulations.

While FERPA accounts for a variety of issues such as access to education records, amendments to and disclosure of records, it also makes provisions and guidance on the protection of the information. It is within this segment of the law that institutions are obligated to protect the privacy of the data and to effectively destroy or eliminate data that is no longer needed in a controlled and secure manner.

How is this data destroyed?

Personal data resides on many forms of media, including but not limited to paper, hard drives, data tapes, optical disks, and more. Paper documents can easily be destroyed by feeding the end-of-life documents into a paper shredder. Many institutions use in-house cross-cut paper shredders for this purpose while others may deploy an outside service to shred the paper. If an office or institution utilizes an outside service to destroy their paper documents, they are usually stored in a locked cabinet or receptacle that only the outside service has access to. While these documents are securely stored in the meantime, SEM will always recommend in-house data destruction to ensure secure destruction. By opting for a third party vendor to handle your end-of-life destruction, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle, misuse, or even lose drives and/or paper when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. (Some third party vendors have even been known to sell the data they are given to online third parties!)

Unfortunately, many college applications are now submitted virtually through applications like CommonApp and through institutions’ online portals. This means that the destruction of their electronic media is a bit more challenging. Again, there are outside services that perform this function, but they do not come without their own set of consequences. For hard drives, it is best practice to degauss any end-of-life drive prior to destruction. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. This can in turn potentially save an institution more time and money in the long run by preventing a breach of any kind and ensuring their applicants’ PII stays safe.

At SEM, we specialize in providing secure and effective in-house solutions to numerous educational facilities around the country. We have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your institution’s destruction needs.