data destruction Archives - Page 2 of 8

Centralized vs. Decentralized Destruction: What’s the Difference?

April 17, 2023 at 2:36 pm by Amanda Canale

As with most new technology, ideas, and solutions, there are pros and cons. In this month’s blog, we’re breaking down the main similarities and differences between centralized and decentralized destruction environments.

Centralized Environment

A centralized environment is, essentially, one space where all of the magic happens. Whether it is a centralized record center or destruction environment, everything that happens and everything being stored are in one location.

For example, let’s refer back to our Level 6 Data Centers: Best Practices in Security blog. The sixth level of the Google data center is known as a centralized destruction environment because all the destruction occurs in one, central space. At this level, security is at an all-time high, with very few personnel having access.

Another example of a centralized environment, but in this case a record center, is a single space where all records are kept. It could be a doctor’s office where all patient files are kept or a cloud-based system where all files and documentation are stored. Since centralized environments hold a substantial amount of information, they are typically organized by separate teams or personnel with a very high level of clearance.

CENTRALIZED ENVIRONMENT PROS:

One main pro when it comes to a centralized environment, in this case destruction, is that all of your destruction occurs in one place. There isn’t a concern for whether a drive was left on someone’s desk or an end-of-life document was misfiled since there is a system in place that requires all end-of-life drives and documentation to be in one place at the same time. This allows for a highly organized destruction plan and seamless organization system.

With a centralized environment typically comes extra security (remember, all your eggs are in one basket!), which just adds an additional level of protection. This can be in the form of more security cameras, keypads and ID badges, physical security guards, and more. Not only do centralized environments come more protected, they also allow for more opportunities for control.

CENTRALIZED ENVIRONMENT CONS:

By putting one’s eggs all in one basket, while it offers a sense of control and safety, it can also have its drawbacks. Hypothetically speaking, if someone was able to breach that centralized location, they have the world at their fingertips since everything is in one place. Servers can be hacked into, destruction solutions can be tampered with, and precious information can easily be stolen. However, this is also why extra security measures are taken, whether the environment is centralized or not.

Decentralized Environment

On the contrary, a decentralized environment is where all of the records or destruction occurs across multiple rooms, spaces, or even floors. A decentralized environment could be the same doctor’s office mentioned earlier, but where patient personal health information (PHI) is kept spread out among various storage locations, workstations, multiple servers, etc.

DECENTRALIZED ENVIRONMENT PROS:

Decentralized environments allow for data to be stored in more than one place offering more accessibility, and allowing those who need to access the data to be closer to it. By having their data in multiple and closer locations, there’s no need for long walks across the data center or building, or extra physical layers of security.

Depending on how sensitive the information is, a decentralized record center can sometimes offer more protection since there are multiple points of access and entry, which mean more opportunities for a hacker to fail.

DECENTRALIZED ENVIRONMENT CONS:

With multiple points of entry and access, also come…more money. Decentralized networks, destruction, or record environments require more upkeep, more maintenance, more storage, and more security.

The consequences of improper data destruction are endless. By opting for in-house, centralized destruction, companies have complete oversight and can be certain that your information has been securely destroyed. At SEM, we offer an array of various high-quality NSA listed/CUI and unclassified data destruction solutions, and are experts in designing and creating, implementing, installing, and servicing centralized destruction facilities across the globe. Whether it’s for the federal government, one of their agencies, or a commercial data center, we do it all. Learn more about our scalable and customizable solutions here.

Paper Shred Sizes (and What They Mean)

March 30, 2023 at 2:14 pm by Amanda Canale

When destroying any end-of-life data, whether it be paper, hard drives, solid state drives, or other forms of media, there are very strict guidelines and laws that address how classified, top secret, and controlled unclassified information (CUI) should be disposed and securely destroyed. These requirements are determined by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST).

For further context, the NSA mandates specific final particle sizes for top secret and/or classified data, regardless of the media form. They then evaluate and list end-of-life data destruction solutions that follow these mandates for destruction. (For a list of media destructions solutions evaluated and listed by the NSA, click here, and for more information what each data classification type really means, click here.)

While the federal government and government organizations are strict when it comes to how one should destroy end-of-life information, commercial companies and industries like healthcare, finance, banking, and more, are less stringent with their destruction instructions, with some left open to interpretation.

Enter the DIN Standards. Also known as Deutsches Institut für Normung, DIN originated at the German Institute for Standardization in 1917 as a non-government organization that serves as the national standard when it comes to improving the rationalization, safety, environmental protection, and quality assurance between the government and the public. DIN is not often mandated but their guidelines serve as a widely accepted global standard while providing clarity to otherwise vague end-of-life information destruction mandates.

DIN 66399 standards specifically provide end-of-life destruction particle size guidelines for information that resides on a wide range of media – including paper – and that specifies protection categories. (You can find more in-depth information about DIN standards here.)

Even as we get further and further into the Digital Age, there is still such a high demand for paper. Some may say that paper is dead, but we know that paper will never really be dead. While the industries I listed above are not holding government secrets, they still store a lot of their sensitive and unclassified information on paper; information that needs to be securely destroyed or could result in severe consequences if it lands in the wrong hands.

Now that you have all of this background information, let’s get into why you’re here – what constitutes as a secure paper shred size?

Seven Specific Security Levels

P = Paper media requirements

Protection Category	Media Paper	Security Level	Security Level Particle Size Requirement
Class 1	P	1	12mm strips or maximum particle surface area of 2,000mm²
Class 1	P	2	6mm strips or maximum particle surface area of 800mm²
Class 1	P	3	2mm strips or maximum particle surface area of 320mm²
Class 2	P	4	Maximum cross-cut particle surface area of 160mm² with a maximum strip width of 6mm = 6 x 25mm
Class 2	P	5	Maximum cross-cut particle surface area of 30mm² with a maximum strip width of 2mm = 2 x 15mm
Class 3	P	6	Maximum cross-cut particle surface area of 10mm² with a maximum strip width of 1mm = 1 x 10mm
Class 3	P	7	Maximum cross-cut particle surface area of 5mm² with a maximum strip width of 1mm = 1 x 5mm

Here’s what each of these security levels look like:

DIN Level P-2 Paper Shred with penny for size comparison — DIN Level P-2 Paper Shred

DIN Level P-3 Paper Shred with penny for size comparison — DIN Level P-3 Paper Shred

DIN Level P-4 Paper Shred with penny for size comparison — DIN Level P-4 Paper Shred

DIN Level P-5 Paper Shred with penny for size comparison — DIN Level P-5 Paper Shred

DIN Level P-6 Paper Shred with penny for size comparison — DIN Level P-6 Paper Shred

DIN Level P-7 Paper Shred with penny for size comparison — DIN Level P-7 Paper Shred

As you can tell based on the table and photos above, P7 is the smallest, most secure particle size (aside from the 0.8mm x 2.5mm particle from our Model 344, which is half the size mandated by the NSA for classified paper). Essentially, the smaller the particle, the harder it is to put back together.

Why would you want to put a bunch of paper shreds back together? To get top secret information, of course!

Allow us to introduce the DARPA Shredder Challenge. The challenge was created by a research and development agency of the U.S. Department of Defense back in 2011. The DoD invited top computer scientists and puzzle enthusiasts to essentially reconstruct paper shreds for a grand prize.

The challenge ended when the winning team, who went by the name, “All Your Shreds Belong to US”, created an algorithm that automatically reconstructed the 10,000 pieces of paper based on various physical aspects of the shred, such as shred angle, shred size, and paper marks. Other teams used strategies ranging from crowdsourced-style methods to relying heavily on manual reconstruction.

When it comes to end-of-life data destruction, it is always best to err on the side of caution. By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation and mandate, ensuring all of your end-of-life paper stays end-of-life. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Data Privacy Day

January 30, 2023 at 5:10 pm by Amanda Canale

Every year on 28 January, the National Cybersecurity Alliance (NCA) dedicates the entire week and 28 January specifically to bring awareness to the public on data protection and data security best practices. Even though we are diving deeper and deeper into the Digital Age, there’s still a large population of people who are not tech savvy, or frankly, even tech literate. The annual international campaign is called Data Privacy Day (DPD), and heavily focuses on educating people, both individuals and businesses, on how to comply with privacy laws and regulations. Moving forward, this will help the public know how they can better protect and manage their personally identifiable information (PII).

Millions of people across the globe are unaware of the various ways their PII is being used, collected, and shared, with many not knowing it’s also being sold by third parties. It’s this reality specifically why the NCA targets anyone with any sort of online presence. How did Data Privacy Day get its start? This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns.

Last year, the NCA expanded Data Privacy Day into a week-long initiative called Data Privacy Week. The week-long campaign, lasting from 24-28 January, is filled with various steps, goals, and webinars individuals and organizations alike can make and attend as a way of encouraging transparency about how their PII is being used.

You can find a full list of Data Privacy Week events here on the NCA’s website. Below, we break down the major takeaways both individuals and organizations should take from the week-long event.

Data: The Story of You

While you may not think your information is important or valuable, there are plenty of people out there who would do almost anything to obtain it. When it comes to keeping our PII and personal health information (PHI) safe, it is crucial to think of your personal data as the most valuable thing you own. If you were hiding some flashy, expensive, and highly coveted family heirloom, you would do anything to protect it, right? Think of your personal information as that heirloom; it is the most precious thing you have. Critical information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live.

Know what to expect in the privacy/convenience tradeoff

Think about the last time you downloaded an app. What kind of information did you have to grant the app access to in order to use it? Share your geographic location? Grant access to your contacts and photo albums? For example, why does a puzzle app need access to my contacts and location in order for me to play? By allowing access to these very personal and private forms of information, you may be offering up much more than necessary.

When releasing or posting any private or personal information, it is best to make informed decisions on what you should do: weigh whether or not the information they are asking for is really necessary, how the benefits weigh against the tradeoff, and, honestly, if you really need the app at all.

Adjust your privacy settings

If you decide to deem that puzzle app worthy of your phone storage and time, try to take an extra moment or two to review the app’s privacy and security settings, and adjust them to your comfort level as necessary. (I know, who even reads an app’s Terms and Agreements anymore, right? Wrong! You should!) While you’re at it, delete those apps you no longer use. In addition to taking up useless storage on your phone, they could also still be collecting data about you and your habits.

You can get a head start with NCA’s Manage Your Privacy Settings page to get more information.

Protect your data

While data privacy and data security are not interchangeable, they are in fact a packaged deal. By adopting these practices, such as creating long and intricate passwords, utilizing multi-factor authentication when possible, and using a password manager you can continue to keep your passwords and information secure and up to date.

Organization Level: Respect Privacy

As an organization, your consumers’ and customers’ private data should be your utmost concern. By respecting their data and being transparent, an organization instills trust which will in turn enhance reputations and company growth.

Conduct an assessment

In a “post-COVID” world, more than 15% of total U.S. job opportunities are now remote. Regardless of if your organization operates fully remote, in a hybrid model, or is even located outside of the continental United States, it is important to understand the privacy laws and regulations in which your business operates and to ensure they are being followed. Especially when working with remote or hybrid employees, it’s best to reevaluate your security measures, access to individuals’ personal information, what that personal information may be and if it is still relevant to keep on file, and to maintain oversight of any outside partners and vendors as well to ensure they are not misusing your consumers’ information.

Adopt a privacy framework

By adopting a privacy framework that works best for you and your consumers, an organization can help mitigate potential risk and implement a privacy culture within your organization. The NCA recommends reviewing the following frameworks to start: NIST Privacy Framework, AICPA Privacy Management Framework, and ISO/IEC 27701 – International Standard for Privacy Information Management.

Educate employees

By creating an office culture surrounded by data privacy and data security, you are educating your employees on not only how to keep their personal information safe but how to better serve your consumers and their information. Engage staff by asking them how they view your current privacy culture, implement mandatory training and webinars, and consistently assess your current standards.

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And lastly, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — securely destroy it to prevent leaks and data breaches down the road.

Cybersecurity Awareness Month

September 29, 2022 at 7:27 pm by Amanda Canale

In 2004, the U.S. President and Congress declared Cybersecurity Awareness Month to be held every October. This would heavily encourage, educate, and assist citizens in staying safe online and teach them how to protect their information. Every year, the NCSA creates an engaging and informative campaign in order to raise awareness about cybersecurity and this year’s theme is “See Yourself in Cyber.”

Enable Multi-Factor Authentication

While data privacy and data security are not interchangeable, they are in fact a packaged deal. Implement and enforce best practices such as creating long and intricate passwords and utilizing multi-factor authentication when possible. What is multi-factor authentication? It’s just adding one more small step of the login process.

First step: log in as usual.

Second step: complete a second task to confirm your identity. (Think of it as bringing your license and a recent utility bill to confirm your identity at the bank.)

The second step in the multi-factor authentication process is usually providing a special PIN code that was texted or emailed to you, or opening an authentication app. This is just an extra layer of security you can use when accessing sensitive information.

Use Strong Passwords

Verizon Data Breach Investigations found in a 2020 study that approximately 81% of all data breaches are caused by hackers easily accessing their sought after accounts. How are they able to easily access them, you ask? Two words: weak passwords.

When companies, managers, and individuals fail to adhere to password guidelines, do not offer password training to your team and fail to educate themselves, and forgo multi-factor authentication procedures, businesses continue to put their cybersecurity at risk.

If you’re now second guessing your own passwords, good. If you’re not, we’re judging you a bit. (Don’t worry, we won’t leave you stranded.) Weak passwords are any sort of phrase or term that is common, short, and/or predictable such as the owner’s name, birthday, or the literal word, “password.” Instead, experiment with a longer password made up of a mix of upper and lowercase letters, numbers, and symbols to help keep your password and data safe. Essentially, the more complex the password, the harder it is for cybercriminals to hack your information.

Recognize and Report Phishing

We’re all humans and we all make mistakes. It’s inevitable! Unfortunately, mistakes have consequences. According to a 2019 study, more than 80% of reported data security incidents were caused by phishing attacks. When you interact with a suspicious email link, an attachment, and even senders, your risk of falling victim of a phishing scam rises every time. In today’s modern digital age, hackers have become upped the creativity when it comes to these sneaky scams. If an email or email address looks a bit off to you, it’s always best to either delete or send to your IT department to investigate.

Update Your Software

Regardless of the industry you’re in or kind of organization, having up-to-date, proper cybersecurity protocols and methods in place (in addition to proper in-house end-of-life data destruction!) should always be a priority. It is far too easy for hackers to access and steal sensitive data when your cybersecurity software is not up to date. Check with your business’s IT department or do your own research to make sure you are not ignoring any updates or downloading unauthorized software. It’s also important to note that one should never disable their software’s security features, especially if it is on a work-issued computer or laptop. Your online shopping can wait until you are in the safety of your own protected network and home.

To find out more about Cybersecurity Awareness Month, visit their website here.

Infamous Casino Data Breaches

July 7, 2022 at 6:13 pm by Amanda Canale

While many industries were negatively impacted by the 2019 coronavirus pandemic, one industry not only survived, but thrived: the commercial gambling industry. The casino and commercial gambling industry made approximately $44 billion in 2021, shattering their previous 2019 record. Given this major spike, experts are predicting that the gambling industry will become a neon target for future thieves and cyberattacks.

In our previous blog, Just How Secure Are Casinos?, we broke down the varying security measures casinos take in the form of RFID software located in playing chips, license plate recognition, and other advanced software to ensure that no stealing or cheating occurs. Fortunately, this advanced technology allows the casinos to remotely render chips and other materials worthless if someone were to steal them and allows personnel to have eyes on gamblers at all times.

However, unfortunately, these measures do not completely prevent casinos from being hacked. We’ve broken down a few of the more infamous casino data breachers below and included best practices to ensure that your data stays protected.

Clubillion

In summer 2020, the gambling app, Clubillion, found that their database had been “leaking data” from millions of the app’s customers. The app was contacted on March 23, 2020 but the database was not secured until April 5, 2020. What makes this data breach different than other similar data breaches is that the database was updated with up to 50GB (or 200 million records) worth of information daily. These records logged every player’s actions, their personally identifiable information (PII), private messages, and even IP addresses.

A rep from Clubillion stated that, “on a single day, tens of thousands of individual Clubillion players were exposed.” In addition to a loss in reputation and customers, the popular gabling app may be subjected to other scrutiny and fines from GDPR regulators and GooglePlay and app stores.

Slot Machine One Handed Bandit Game. Rolling Drums. Casinos and Gambling Industry.

Federal Group

In April 2021, Tasmanian casino operator, Federal Group, found themselves in the midst of a cyberattack after their pokies machines (otherwise known as slot machines) and hotel booking systems began to malfunction. At the time of the breach, the casino group was unsure if credit card details stored in the hotel booking system were also compromised and have yet to publicly release that information.

International privacy and security consultant, Terry Aulich, stated that he was “extremely disappointed” with the business’ cyber defenses and warned other Tasmanian organizations to learn from Federal Group’s mistakes. Between Federal Group’s two casinos, patrons had spent upwards of $53.7 million on pokies in the eight months leading up to the breach.

MGM Resorts International

MGM Resorts International became the victims of a data breach in summer 2019, but it was not made public until February 2020 after a third party published an article detailing the breach. The breach had compromised the records of over 10.6 million guests dating back from 2017. The cyberattackers were able to hack into the resort’s cloud server and then was posted to a public hacking forum.

Guest PII such as full name, home and email addresses, phone numbers, and birthdates had all been breached, but luckily did not include financial or payment card information. The breach wasn’t also just limited to guests; victims ranged from tourists and travelers, to media reporters and journalists, to company executives and employees.

At SEM, we offer secure, in-house destruction. With our low and high volume disintegrator solutions, casino materials and solid state boards can be easily destroyed to a predetermined and consistent particle size. As we know, casinos house a lot of sensitive information regarding personnel, patrons, financial information, and advanced technology that should be secured, even in end-of-life.

Depending on the needs of the casino, SEM has every device necessary to properly and efficiently disintegrate chips as intended since our inception in 1967. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

For more information on our casino solutions, visit our website here.

Just How Secure Are Casinos?

June 10, 2022 at 4:46 pm by Amanda Canale

Even in the midst of a worldwide pandemic, the commercial gambling and casino industry made approximately $44 billion in 2021, surpassing the previous record set in 2019. According to the American Gaming Association (AGA), in-person slots and table games are leading the industry’s recent growth. Given the exponential growth, and (quite literally) billions of dollars on the line, experts predict that the casino industry will be a flaming red target for hackers and thieves.

You’re probably thinking, “what information is even stored on casino chips, playing cards, and dice?” Frankly, quite a lot.

Even more so, casino chips are not the only items that are loaded with information; the same goes for playing cards, dice, and personnel access cards. In this blog, we break down the varying security measures casinos take and how a proper destruction plan your casino can better protect your assets.

Radio-Frequency Identification (RFID)

Casino chips may seem like a cheap piece of plastic, but what many do not know is that these seemingly simple items carry loads of information and are packed with advanced technology. These chips are embedded with radio-frequency identification (RFID), which is used to track them and broadcast unique serial identifiers over radio frequencies. RFID technology identifies and tracks every chip for authenticity, tracking history, and to ensure there is no forgery, cheating, or stealing. Additionally, each casino carries uniquely branded chips, including color combinations, marked edges, and UV markings that are impossible to recreate. The RFID-reading technology also detects when counterfeit chips are being used.

While you cannot “hack into” casino chips, it’s still possible for people to steal them for money, especially since they are a form of currency within casinos. For example, in 2010, a man stole $1.5 million in chips from the Las Vegas Bellagio casino. However, due to the RFID technology within the chips, authorities were able to remotely render the chips worthless by turning off the chips’ transmitters before the robber could turn them in for cash.

License Plate Recognition

Like many secure facilities, casinos have security measures in place tracking you before you even have the chance to park your car. Once your car enters the camera’s frame, the license plate recognition technology scans your plates and converts them into text, which is then compared against the casino’s database. What are they looking for exactly? The software runs your license plate against their records to see if you are a known gambling addict, thief, or on their internal blacklist. This process is to ensure that no undesirable patrons are allowed into the facility.

Angel Eye

Like I stated earlier in this blog, chips are not the only casino materials that are loaded with information. Playing cards carry invisible bar codes that help sensors and security software, such as Angel Eye, track their movement, which ones are being dealt, and to prevent card-switching. The software was specifically designed to prevent card switching, which is prominent in other parts of the world.

When a dealer deals cards, the software tracks the dealt cards through a sensor in the dealing shoe (the container that houses the cards). After this first scan and once the cards are revealed on the table, the dealer presses a hidden button that scans the table and upward facing cards a second time. The Angel Eye software compares them to the initial scan to ensure that the results on the table matches what the computer says.

TableEye21

TableEye21 is a powerhouse of a security device; it is made up of varying technologies all wrapped into one concise solution. It includes an overhead video camera that tracks the table’s actions and players, includes video analysis software and information sent by the RFID chips, and overlays the video feed with real-time data tracking on cards and chips being used.

TableEye21 tracks every action on the table, including dealer rounds per hour, trend reports, and the player win percentage. Casino authorities use this information to identify if a player is counting cards, using counterfeit chips and cards, or scheming with the dealer in order to win.

NORA

NORA stands for Non-Obvious Relationship Awareness software, and it goes hand in hand with all of the security measures we discussed above. Whether a dealer notices something off about a player or the TableEye21 software picks up on odd numerical trends, NORA can be used to scan the casino’s databases for information and recognize relationships between players and dealers alike.

What relationships, you ask? Let me give you an example.

If casino personnel put Brian Jones into NORA, the software will scan all of the casino’s databases and be able to see that Mr. Jones, who applied for a dealer position, is actually Paul Johnson, a notorious poker scammer. In addition, it can connect people entered into NORA based on their similar backgrounds. So once NORA finds out that Brian Jones is really Paul Johnson, it also connects Paul to another player, Zachary Jost. From there, the software connects the dots and finds out that Paul and Zachary were fraternity brothers during their undergrad career and that they were both arrested for the same fraud case.

Another potential outcome is NORA discovering that the dealer and a player used to share the same address and phone number, possibly meaning that they are in on a scam together.

If that wasn’t impressive enough, we should probably mention that it was after 9/11 that the Department of Homeland Security began using the advanced software to help identify relationship links between potential terrorists and criminals.

This is not an exhaustive list by any means; there are many other security measures and advanced tracking technology that casinos use in order to maintain order and ensure honest playing. However, there is one more security method we’d like to discuss: the destruction of casino materials.

As of this writing, there are no federal laws concerning data protection that casinos have to abide by. However, casinos and gaming facilities are required to abide by their state’s safeguarding mandates and financial privacy regulations. In order to maintain the stringent policies set in place to prevent fraud and criminal activity, it is crucial for casinos to establish further security measures for the destruction and disposal of these technology-ridden materials.

In the past, casinos have thrown their chips and cards out with the trash, some even building them into the foundations of casinos out of superstition. But in recent years, casinos have been required to destroy their chips and cards according to predetermined expiration dates. Typically, the expired materials are sent out to a third party destruction facility where they are often dumped into landfills or left vulnerable to thievery by the third party vendors.

At SEM, we offer a better alternative: secure, in-house destruction. With our low and high volume disintegrator solutions, dice, chips, and playing cards can be easily destroyed to a predetermined and consistent particle size. As we know, casinos house a lot of sensitive information regarding personnel, patrons, financial information, and advanced technology that should be secured, even in end-of-life.

One solution is the SEM Model DS-400, a dual stage turnkey disintegrator that has been evaluated by NSA and meets the requirements of NSA/CSS specification for Paper Disintegrators, CDs, and Key Tape. This compact and portable device is perfect for the destruction of paper, optical media, key tape, casino chips, metal and plastic cards, and more.

Need something with a higher volume? We suggest a SEM VKE Disintegrator system. Our VKE (value kit enclosure) disintegrator systems include your choice of disintegrator, air system, state-of-the-art technologies and features like a customized MX sound enclosure to reduce sound and dust during operation, a solid steel rotor designed to provide 70% more rotor mass than open rotor designs, and user-friendly master control panel.

For more information on our casino solutions, visit our website here.

Top 4 Ways to Outsmart a Phishing Scam

March 21, 2022 at 6:37 pm by Amanda Canale

Do you have what it takes to outsmart a phishing scam? Let’s find out!

First, a bit about phishing: for those that may not be familiar with phishing, phishing is a phrase used to describe a cyberattack method via email. An email is sent to an individual with the intention of hacking into the recipients’ email, computer, or network.

Typically, the phishing email will ask the recipient to perform some form of task, whether it is to open an attachment, click on a link, send gift card codes, or send along sensitive information. These links and attachments will be malware-infected and allow the hackers to gain access to your computer, network, and more, and can have detrimental consequences.

It is important to note that phishing is not a new cyberattack tactic. Phishing has been one of the most common attack methods and has only become increasingly more complex the further we get into the Digital Age. That said, upgrading your cybersecurity software and educating your staff how to spot and report phishing emails are just two ways to better protect you and your organization’s data. And speaking of educating your staff, read on to learn the top four ways you and your team can spot a phishing email.

Red Flag #1: An Urgent Request for Login Information, Sensitive Information, or Money

Today, it is increasingly easy to get in touch with one another; there’s the telephone, text message, FaceTime, Microsoft Teams chat, Zoom call, calendar invite, and more. It’s safe to say that if your supervisor (or any member of upper management) needs to speak with you on an urgent matter, they’re going to find a way to contact you directly. If an email allegedly coming from your boss or CEO is threatening negative consequences, or even termination, if you do not complete their task, it’s probably a phish. This is a type of scare tactic used to rush the recipient into getting their request completed as soon as possible.

In addition (and it should be common sense), if your boss needs you to send her login information or sensitive information, take a moment and ask yourself, “if this person were really your boss, wouldn’t she have her own access to that information and logins, especially if she is in upper management?” We’re not saying you should ignore every request for information from upper management, but if the request seems a little fishy (pun intended), take a moment to give the sender a quick call or follow up with them in a separate email (using the email address you know belongs to them) to confirm their request.

The same should go for any request for money or gift card activation codes. A colleague, regardless of title and status, should not be requesting monetary items from you via work emails. This is usually a clear sign of a phish and like we suggested above, take a moment to follow up with that person in real time to confirm their request.

Red Flag #2: Misspelled Name and/or Email Address (When Impersonating Someone You Know)

Now, these attempts don’t come from just any John Doe; hackers do their research to make sure the “sender” looks like it is quite literally coming from your supervisor, company president, client, or…pretty much anyone you know based on social platforms and public company directories.

That being said, it’s now time to break out your magnifying glass and bifocals because we’re moving on to proofreading the urgent request with a fine-tooth comb. Some phishers are lazy so it may be fairly easy to spot a phish simply by doing an in-depth evaluation at the spelling of the sender’s email address (and even the spelling of anyone’s names that are mentioned).

Since it is not possible for two email accounts to exist under the same domain, hackers have to get creative with the spelling of email addresses when impersonating someone. A quick scan may miss the typos and misspellings so it’s best to take the extra few seconds to make sure the sender is using the correct domain and spelling of their name. Also be on the lookout for the number 1 replacing an L or an I and other such crafty substitutions.

Red Flag #3: Bad Grammar and Overall Spelling Mistakes

Most of the time, phishing scams do not come from a particular person but rather a bot or a spell-check tool that doesn’t always translate well. Be on the lookout for major spelling and/or grammar mistakes, and this red flag will be an easy one to spot.

Red Flag #4: Illegitimate Links

Whatever you do, do not click the blue link!

One tricky way phishers hook their victims is by using illegitimate links. One can avoid activating any malware-infested links by simply hovering their cursor over the link for a second or two to see a preview of the URL. If the preview is anything different than what the link says it’s supposed to be, then report it to your IT manager for a more in-depth evaluation.

To summarize, sometimes all it takes is a few extra seconds to carefully read over requests (and maybe a “better to be safe than sorry” forward to your IT department) to spot a phish. As a final note, we want to stress that it takes more than a simple spellcheck to keep you and your organization’s information secure. Upgrade your security software, implement two-step verification logins, train your employees, and collaborate with your IT department to find other security methods you can take.

History of Federal Data Privacy Regulations in the US

January 21, 2022 at 3:09 pm by Paul Falcone

Throughout history, the United States has passed quite a few different laws to protect privacy for its citizens. Generally, the laws focus on protecting one specific aspect of privacy, but they cover all bases on that one aspect. With the growing of the digital age, it is important to wonder if the United States is doing a good enough job keeping up with cybersecurity and data privacy.

4th Amendment

One of the first privacy laws the United States passed was the 4th Amendment, which protects people from unlawful searches. While the 4th Amendment protects people from physical and apparent searches, it has encountered problems protecting people in the digital age.

Fair Credit Reporting Act (FCRA) 1970

The FCRA protects citizens from their consumer reporting agencies files being used against them. It prevents the use of information in their file being used without their knowledge and it allows a person to know what is in their file. The FCRA also allows a person to dispute inaccuracies and forces agencies to delete false or inaccurate information as well as incomplete information.

US Department of Health, Education, and Welfare (HEW) 1973 Computers and the Rights of Citizens

HEW is a report that was focused on the growing use of computers, and how that could impact the future of data keeping and protection. It focused on consequences of using automated personal data systems, how to stop those consequences, and policy for social security numbers.

Privacy Act of 1974

The Privacy Act of 1974 was a turning point in data privacy and security. It protects information that would be retrieved by an individual through their name or any other personally identifiable mark, and prevents said information from being disclosed without written consent of the individual in question. The Privacy Act of 1974 is the biggest step the United States took for data privacy, and paved the way for more specific data privacy laws in the future.

Federal Educational Rights and Privacy Act (FERPA) 1974

FERPA protects educational information from being disclosed. Essentially, the Act prohibits schools from sending out information to just anyone. Parents are allowed access to the educational info, but once the student turns 18 and continues schooling beyond high school, the rights transfer to the student. There are of course, certain people to whom the schools can send information, but they are all either financial, for the good of the student’s education, or for legal purposes. Schools can disclose certain information, such as name and date of birth of a student, but to do so, they must contact said student beforehand and give them a reasonable amount of time to request it not be shared.

Right to Financial Privacy Act (RFPA) 1978

RFPA protects the financial privacy of people. Essentially, it does not allow anyone to view financial information of a person without the person being notified and given a chance to object. In the words of this law, a “person” is judged to be an individual or a partnership of five or less. In other words, it does not extend to corporations or large partnerships.

Video Privacy Protection Act of 1988 (VPPA)

The VPPA protects from the disclosure of rental records of “prerecorded video cassette tapes or similar audio visual material.” Effectively, it means that without written consent or a valid warrant, no one can get the information of what a person has rented in the past.

The Gramm-Leach-Bliley Act of 1999 (GLBA)

GLBA ensures that financial institutions explain their information sharing processes with a customer. It also makes them safeguard sensitive information. A financial institution constitutes a company that deals in the business of loans, investment advice, or insurance.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA protects the health information of individuals. It forces the protection and integrity of health information and it expects institutions to protect against expected anticipated threats against the security of the info as well as illegal disclosure.

Driver’s Privacy Protection Act of 1994 (DPPA)

The DPPA protects the information held by any state DMV. It disallows the use or release of personal info obtained from any department in relation to a motor vehicle. The information covered by this act includes name, address, SSN, phone number, and other personal effects. It does not cover traffic violations, accidents, or license status.

Children’s Online Privacy Protection Act of 1998 (COPPA)

COPPA protects children’s privacy from being collected or used. A child is defined as being under the age of 13. It requires the consent of a parent for the information of a child to be taken or used. This act works specifically for websites and online services that were targeted at children.

Federal Information Security Management Act of 2002 (FISMA)

FISMA is effectively the government protecting its own cybersecurity. This act was the government acknowledging the importance of cybersecurity. It has since been replaced by the Federal Information Modernization Act of 2014, which is commonly referred to as FISMA reform or FISMA2014.

Fair and Accurate Credit Transactions Act of 2003 (FACTA)

FACTA provides consumers with more accurate credit related records and entitles them to one free credit report per year from the three credit reporting agencies — Experian, Equifax, and TransUnion. It also grants consumers the ability to purchase additional credit reports for a reasonable price.

Telephone Records and Privacy Protection Act of 2006 (TRPPA)

TRPPA prevents pretexting to buy or sell personal phone records. It should be noted that it does not affect information agencies or law officials. Pretexting refers to the imitation or impersonation of someone else in order to gain personal information.

State Laws and Federal Mandate

As it currently stands, many of the states have their own specific data privacy laws. Some states have more protection than others. For instance, Massachusetts have passed more data security laws than Tennessee, which has stayed closer to the federal laws alone.

In the current age we live in, data security is a rising problem. As technology improves, more personal information becomes digital, and more security is needed. There needs to be a federal mandate causing the states to all have stronger cybersecurity, as in this current day and age, it is required to be 100% certain that personal information is well protected. Furthermore, if all the states have different laws, companies will not be able to comply with all of them, and will end up not doing business in the United States.

The United States has consistently been putting out laws to protect privacy and enforce cybersecurity, and with the way history has been, it is safe to assume that they will continue to do so into the future. The next step would logically be the United States releasing a federal mandate to standardize the data privacy laws for all states.

Applying to College: What Happens to Your PII Once You’re Accepted?

April 27, 2021 at 1:50 pm by SEM

College applications. For a lot of people, just reading those two words can bring back a swarm of flashbacks of awkward college essays, endless SAT prep, and countless hours spent anxiously awaiting that giant envelope announcing your acceptance into your dream school. While this time can be exciting for many people, it’s also a time spent filling out application after application detailing all your personally identifiable information (PII). But what happens to those applications, and that information once you’ve been accepted?

Colleges and universities are bound by a federal law called “The Family Educational Rights and Privacy Act” (FERPA), which ensures that the information provided by and in relation to students is kept private. The law also states that if the information provided is no longer needed, that it must be discarded in a manner that securely protects the information.

For context, FERPA is administered by the Family Compliance Office in the US Department of Education and applies to all educational agencies and institutions that receive funding under any program administered by the department. Private schools at the elementary and secondary levels generally do not receive funding and are therefore not subject to FERPA. Private post-secondary institutions, however, generally do receive funding and are therefore subject to follow all FERPA guidelines and regulations.

While FERPA accounts for a variety of issues such as access to education records, amendments to and disclosure of records, it also makes provisions and guidance on the protection of the information. It is within this segment of the law that institutions are obligated to protect the privacy of the data and to effectively destroy or eliminate data that is no longer needed in a controlled and secure manner.

How is this data destroyed?

Personal data resides on many forms of media, including but not limited to paper, hard drives, data tapes, optical disks, and more. Paper documents can easily be destroyed by feeding the end-of-life documents into a paper shredder. Many institutions use in-house cross-cut paper shredders for this purpose while others may deploy an outside service to shred the paper. If an office or institution utilizes an outside service to destroy their paper documents, they are usually stored in a locked cabinet or receptacle that only the outside service has access to. While these documents are securely stored in the meantime, SEM will always recommend in-house data destruction to ensure secure destruction. By opting for a third party vendor to handle your end-of-life destruction, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle, misuse, or even lose drives and/or paper when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. (Some third party vendors have even been known to sell the data they are given to online third parties!)

Unfortunately, many college applications are now submitted virtually through applications like CommonApp and through institutions’ online portals. This means that the destruction of their electronic media is a bit more challenging. Again, there are outside services that perform this function, but they do not come without their own set of consequences. For hard drives, it is best practice to degauss any end-of-life drive prior to destruction. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. This can in turn potentially save an institution more time and money in the long run by preventing a breach of any kind and ensuring their applicants’ PII stays safe.

At SEM, we specialize in providing secure and effective in-house solutions to numerous educational facilities around the country. We have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your institution’s destruction needs.

What Documents Should You Shred After Filing Your Taxes?

April 26, 2021 at 6:16 pm by Amanda Canale

Ah, tax season. A time to reflect and reevaluate on the past year’s finances, and a wonderful excuse for some major spring cleaning!

In this blog, we’ll break down all of the documents you can say, “bye-bye” to and the ones you may want to keep around for a bit longer. It’s important to note that this is simply a condensed breakdown, but more information on record retention policies (RRP) can be found in our blog, Records Retention Schedules: When Will Your Data Expire?

Bye-Bye Junk!

ATM and deposit receipts: These can be shredded once they are compared against your monthly statement.
Credit card bills: Once your bill has been paid, shred away!
Utility bills: Keeping utility bills once they are paid is not always necessary. However, it is recommended to save all of your utility bills for one year if you are claiming a home office deduction.
Pay stubs: Pay stubs should be saved for one year but once your taxes are filed, they are ready for the shredder.
Insurance policies: Once your policy is renewed (either with the same insurance company or a different one), feel free to feed it to your shredder.
Receipts: No need to pile up your desk or filing cabinet with every UberEats and Postmates receipt from the past year. It is only necessary to keep receipts from bigger purchases or items that will be deducted.
Monthly bank statements: Your monthly bank statements should be saved for one full year and then shredded after you receive your annual statement.
Monthly investment statements: All annual statements and the most recent monthly statement should be kept on file; however, feel free to shred the rest!

Documents for Next Tax Season

Income: Whether your income comes from wages, interest, or other business, any W-2, 1099, or K-1 forms, and bank and brokerage statements should be kept leading up to your next tax return.
Deductions and credits: Any receipts pertaining to childcare, medical and dental expenses, using your home as your business, alimony, or charitable donations should be kept leading up to your next tax return. In addition, any receipts or invoices, cancelled checks, and bank or credit card statements.
Home and property documents: Whether they are closing statements, proof of payments, insurance records, or home and property renovation receipts, these types of documents should all be kept for a year leading up to tax season.
Investments: Any and all 1099 and 2439 forms, brokerage statements, and mutual fund statements should also be kept prior to filing your taxes.

With all of this being said, it is important to mention that there are some financial documents that should be kept for a specific amount of time after you file your taxes. The Internal Revenue Service (IRS) has three years to assess additional tax and audit returns, meaning it would be a smart move to keep any documentation to support your recent claim should be kept on file.

Shred Away!

Now is the fun part: shredding time! While there are various ways to destroy a paper document (as detailed in our recent blog, How NOT to Destroy Paper Documents), we at SEM know it to be best practice to use a high security paper shredder (no, big box store shredders won’t cut it — pun intended!) when destroying all of your end-of-life paper documents. By adopting a secure shredder policy, you can be sure your financial information does not get into the wrong hands. We suggest the SEM Model 1324P deskside shredder for all of your at-home shredding needs. This device offers a DIN 66399 P-4 particle.

P-7, shown above, is the standard for the destruction of classified material on paper

At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.