How to Lower the Risk Associated with the Disposal of Organizational IT Assets
The transcript and the full video of the conversation between Kurt Greening, EVP at Securis, Greg Crabb, and Nick Crabb of TEN EIGHT Cyber appear below.
Contact Information
Gregory Crabb: https://www.linkedin.com/in/gregorycrabb/
Nicholas Crab: https://www.linkedin.com/in/nicholas-crabb/
Kurt Greening: https:https://www.linkedin.com/in/kurtgreening
Website Information
Securis: https://securis.com/
Ten Eight Cyber: https://teneightcyber.com/
Assessment mentioned in the video: https://assessments.teneightcyber.com/
Kurt Greening, Securis:
For those of you who don’t know me, my name is Kurt Greening, and I am an EVP with Securis. Securis is an industry leader in IT asset Disposal. Today, we are here to discuss how to lower the risk associated with the disposal of organizational I.T. assets. Gregg, before we get into that topic, can you briefly introduce yourself and tell me who TEN EIGHT Cyber is?
Greg Crabb, TEN EIGHT Cyber:
Absolutely. Thank you so much, Kurt. My colleague Nick and I work together here at TEN EIGHT cyber. We’re a cybersecurity advisory firm focused on empowering organizations to build resilience against cyber threats. And we provide a variety of different offerings. Today we’ll talk about what we’re doing in order to be able to support organizations, in conducting assessments against, proper I.T asset management practices. And, we provide a variety of other advisory services, anything from incident response and management to third-party risk management. So thanks for having us, Kurt. Really excited to collaborate, and Nick and I are really excited to support you.
Kurt Greening, Securis:
Yeah. Great. Yeah. We’re glad that you’re here. Nick, can you do the same thing? introduce yourself. I understand that over the last few months, you’ve been doing a lot of research, around this space. Maybe you can introduce yourself, but then also share some of the things that you found, in terms of vulnerabilities, breaches, fines, really in the space of IT Asset management.
Nick Crabb, TEN EIGHT Cyber:
Yeah, totally. So my name is Nick Crabb. I currently work as a cyber security engineer for TEN EIGHT Cyber, and I create presentations, policies, assessments, and daily threat reports. every day, talking about anything from ransomware to, end-of-life systems and kind of nation-state threat actors. And today I kind of want to go over some end-of-life systems that pose risks to organizations. And I’ve done a little bit of, research on that. And there are two main breaches I kind of want to go over. The first one is the Filefax HIPAA violation. And this is a great example because even after shutting down, Filefax was fined $100,000 for improperly handling 2150 patient records. And they were later sold at a recycling center. And, these threat actors were able to sell that information. And obviously, they had to go to court and HIPAA was able to, fine them for not properly, disposing their assets.
The next one is Morgan Stanley and they were fined $60 million by the U.S. Treasury Department for failure on IT Asset destruction. And this includes, proper oversight and decommissioning, two data centers, failure to track customer data and inadequate vendor management. Now, more than ever, I think, companies need to focus on IT Asset Destruction And from when I was researching it from kind of knowing nothing to knowing a lot, now I think, I took a new company perspective.
It’s hard to think about IT Asset destruction when you’re a new company, when you have a small inventory and new equipment. But as the years go on and the equipment that you use gets older and the inventory grows week after week, without secure IT Asset destruction policies and kind of procedures go out the window. And I think, organizations can’t kind of live with the regulatory fines, legal liability and the devastating breaches that the two, kind of examples I went over.
Kurt Greening, Securis:
Yeah, I agree, I mean, it’s the big companies that, tend to have the lawsuits, tend to have the fines. And obviously that creates the biggest risk of, you know, breaches, employee or customer, data. So that’s a big deal. And, yeah, Nick you didn’t mention that you produced a cyber threat report on a daily basis. I’ve seen that. I will, post in the show notes. You’re on LinkedIn for those who want to follow you, you want to make sure that, there avoiding vulnerabilities and risk in multiple areas. So, thanks for that. Greg, I’m going to throw you a question here. So, maybe people don’t know you’re a former CISO. You served, in the federal government, both in law enforcement and later, as a CISO of the U.S. Postal Service. But one of the things that I’m curious about as I talk to, other CISO’s, I’m just curious why other CISO’s might not be doing more to lower risk in this particular area.
Greg Crabb, TEN EIGHT Cyber:
Yeah, really good question, Kurt. And I’m going to kind of look at it from a couple of different lenses. The first is competing priorities. CISOs are focusing on so many different things, whether it’s ransomware prevention, supply chain attacks, all of the NIST CSF controls or CIS controls. There’s a lot there, and quite frankly, IT asset disposal gets overlooked. And there are other reasons as well. Because they’ve got so many different things going on, they might delegate that to the IT help desk function for the organization. You know, you distribute the technology, you know, you also get rid of the technology. You know, I don’t want to worry about it. You guys do it. And that also speaks to some of those business processes in that I.T. technology management asset, management track and that many organizations don’t have a comprehensive IT asset inventory, so it makes it difficult for them to track, even if they have assets that need to be decommissioned, right. And that kind of speaks to that cross-departmental responsibility confusion that I, that I alluded to.
So, you know, and I think, we need to kind of re-examine, I think we’re getting to the point where, from a NIST, and policy perspective, we need to take a look at this whole concept of encrypted hard drives and reexamine that in the face of what threat actors are doing right now is buying, outdated, hard drives and decommissioned hard drives with the hope that, you know, when, quantum cryptography, is developed and the ability to break that encryption, arises. and so we need to look at those policies and think, you know, BitLocker is great right now, but BitLocker, in the face of, the quantum threat will not be sufficient. And, you know, is that five years from now is that ten years from now, we don’t know. But I don’t want any of the information that’s on my drives exposed ten years from now because we didn’t take care of our assets properly today.
Kurt Greening, Securis:
Yeah. I definitely agree with the competing priorities. And, you know, I don’t think we’re on this call to beat up CISO’s because they get beat up enough and, you know, just, I think just watching Nick’s threat report every day, can make it difficult to get sleep at night. So, thanks for that. So, Nick, in the vein of trying not to be beat up organizations, you know, we talked about some of the risks and where organizations have made mistakes, but there’s probably more people that are doing things right than making mistakes. Can you provide a few examples? in terms of the research that you’ve done or companies that you’ve talked to and things that you’re seeing them do right in terms of I.T. Asset Management?
Nick Crabb, TEN EIGHT Cyber:
Yeah, totally. So these are more kind of, general examples, companies that are getting their IT Asset destruction process correct, are typically the ones not in the news. And that makes a lot of sense. So, to ensure secure and compliant IT Asset destruction I think it’s important to align with NIST 800-88. From my journey learning about NIST 800-88 was significant, and I’ve learned a lot through that. And I think some leading practitioners are Amazon, financial institutions, and government agencies, and they implement strong asset tracking and secure disposal processes. And I think that’s very important for organizations to secure all their assets after end-of-life. So organizations that maintain a comprehensive inventory and enforce proper destruction protocols not only enhance security but also build customer trust and regulatory compliance.
Kurt Greening, Securis:
Yeah, I agree, Nick. I haven’t reviewed Amazon’s policies, but I have reviewed Microsoft’s policies. And they’re pretty good in this area. I’ve also worked with some banks that have incredible, I.T. asset management, policies. They have really good oversight of third-party, ITAD vendors. So there are definitely some people out there getting it right, and people that in the industry that we can learn, some best practices from. Now, Greg, switching gears and going back to you, how does getting I.T. asset management, right, relate to cybersecurity best practices?
Greg Crabb, TEN EIGHT Cyber:
Several lenses that, Nick kind of, opened us up into, I think I want to expand on and, first and foremost, it’s risk reduction. Right. Improperly disposed of I.T assets are targets for cybercriminals, and, a CISO’s role is to reduce risk for the organization. So, making sure that, a proper I.T. asset management practices are in place are critical. The next is really looking at this from a zero-trust perspective. When you look at both the data pillar, and the device pillar, they converge at I.T. asset destruction. Right. When you look at, you know, the, termination of those life cycles, are at I.T. asset destruction. And so, to have a proper zero trust, organization, based on those principles, I think you really need to look at, I.T. asset destruction as an endpoint for those, and then, obviously, the regulatory compliance aspects Nick’s talked about HIPAA. Organizations that face GDPR, and the FFIC regulations, obviously with what Nick reported on relative to Morgan Stanley, those are excellent examples of, kind of the regulatory, compliance requirements that exist in this area. So, you know, those are kind of the lenses that I’m thinking about relative to some of the cybersecurity best practices.
Kurt Greening, Securis:
Okay. Yeah. Great. that’s helpful. Greg, I got another question for you. So, I talked to a couple of lawyers about this area and some other risk management professionals, and they referred to a, I guess, a term of having defensible IT asset management policies. Can you help our audience understand what they might be referring to?
Greg Crabb, TEN EIGHT Cyber:
Yeah. So, I think any regulated agency or, maybe that’s the DOD supply chain for CMMC perspective or the financial services from a FFIEC perspective, defensibility, documentation, compliance and verification, those kinds of terms rings through. So, do you have a well defined asset management lifecycle, including, asset destruction policies and procedures? Are you complying with those policies and procedures? And do you have a means to verify that the performance of those controls are done in a complete manner? And so, I think it goes back to, like I say, documentation compliance and verification.
Kurt Greening, Securis:
And Greg, I would guess that proper oversight of third-party vendors would be included. In those three things.
Greg Crabb, TEN EIGHT Cyber:
Absolutely. You know, just, I guess I generally alluded to it when I mentioned CMMC, that’s a that’s a whole supply chain related, body of compliance requirements. And so, by all means, having a proper, third party, visibility and assurance is necessary. When you think about the complexities of the supply chain and, any technology service provider or financial institution or, or government contracting context,
Kurt Greening, Securis:
Perfect, great answer, I think. I think I have a better understanding now. Nick, So I’d love to hear from you again. I understand that you and your team have actually developed an offering that’s going to help busy CISO’s lower this risk in the area in particular. I think what got me excited is I talked to a number CISO’s and they said similar things are busy. you know, one said, hey, you know, the most amount of time my team has spent on it is to set up a policy and then, you know, expect that the team follows it. But, you know, this particular individual did acknowledge, hey, if there was something else I could do, like, maybe hire a third party to help me with this. He seemed really open to it. So, could you describe the offering that you developed or the assessment that you developed and then maybe let people know how they could get started with ten eight cyber if, you know, they think, hey, I probably need to improve my I.T. asset management or my I.T. disposition practices, but I maybe I don’t know my level of risk, or I don’t really know what things I should be improving on first. You know, how could they approach your team?
Nick Crabb, TEN EIGHT Cyber:
Yeah, totally. So I just want to preface first. They’re definitely cost-effective. TEN EIGHT is currently offering a few different I.T. asset disposal assessments with various tiers aligning with large and small organizations. The introduction assessment is our first one. It’s very basic, with 12 questions allowing the company to answer them on their own, and then a consultation will be scheduled with TEN EIGHT to go over and kind of go in and talk about their, depth and the specific gaps they have in the company’s answers. We then create in a report an analysis on how the company can best improve based on that. We then have larger assessments that allow TEN EIGHT to go into the organization, which we can be on-site or on a call, and we can talk about how an organization can create a comprehensive I.T. asset destruction process based on the company’s personnel, policies, and procedures. And this is all aligning with NIST 800-88. The easiest way to get started with us is to visit our website to set up an introduction meeting with TEN EIGHT and we get to start with the company right away and kind of help them develop a strong I.T. asset destruction process that is safe and secure for not only them, but their clients as well.
Kurt Greening, Securis:
Sounds like an easy choice. And and to get to TEN EIGHT cyber, I believe it’s, is it www.teneightcyber.com or can you help me with your, I will post it in the show notes.
Greg Crabb, TEN EIGHT Cyber:
It’s, www.teneightcyber.com
Kurt Greening, Securis:
Thanks, Nick. Thanks, Greg. I think I learned something. I think that there’s an opportunity here, with a relatively small, financial and time investment that organizations can lower their, their risk in this area. And and I think CISOs can have one less area to stress about. So really appreciate you guys, and, thanks so much.
Greg Crabb, TEN EIGHT Cyber:
Thank you, Kurt. Really grateful for the opportunity. and collaborating with Securis.
Nick Crabb, TEN EIGHT Cyber:
Yeah. Thank you I appreciate it.