SEM Archives - Page 5 of 6

Security Engineered Machinery Announces New Strategic Account Manager

July 15, 2020 at 12:32 pm by Paul Falcone

Security Engineered Machinery (SEM), global leader in high security end-of-life data destruction, announced Ben Figueroa as the new strategic account manager for the company. The announcement was made by Nicholas Cakounes, SEM Executive Vice President.

Ben brings over 20 years of account management experience to SEM, where he will be responsible for establishing and maintaining relationships with partners across the globe with whom SEM has proudly been working with for over 50 years. Prior to SEM, Figueroa held the position of North American Sales Director at a Fortune 500 platform-as-a-service company, where he was responsible for managing a team while working in several different markets within the IT and cloud service industries.

“We’re happy to welcome Mr. Figueroa into the SEM family,” said Cakounes. “His decades of knowledge and experience will strengthen our existing partnerships as well as build new opportunities and relationships.”

“When we met Ben, we knew he would be a great fit for SEM,” added Bryan Cunic, SEM Director of Sales. “His unique background, impeccable integrity, and strong business acumen align well with SEM’s goals and core values and we are thrilled to work with him as we continue to expand into the commercial data security market.”

Mr. Figueroa is working out of the company’s corporate headquarters in Westborough, MA.

Happy Holidays From SEM!

December 16, 2019 at 6:52 pm by Paul Falcone

As the end of the year approached, SEM employees from across the country came to headquarters in Westboro, MA for a look back at 2019 and to enjoy some festivities. The last week was filled with sneak peaks at new products, axe throwing, good food, and good company!

First up, SEM’s best in class service team went to Half Axe for some axe throwing followed by dinner to celebrate the end of the year together as a team.

The entire company then gathered at Civic Kitchen in Westboro for some great food, drinks, and entertainment! The night ended with a vicious game of trivia that split the company into five teams, with the winners getting some awesome prizes.

Todd Busic and Jeff Lanoue caught up on sales discussions

During the evening, President Andrew Kelleher handed out service awards to team members

Tricia and Josh Burton enjoyed some amazing food

Heidi White talked Lee Bingham into a selfie

Aaron Lebo and Chuck O’Laughlin goofed for the camera on the last day

That’s a wrap on 2019. Special thanks to our team from all departments who work so hard to produce quality products that are delivered throughout the world. From everyone here at SEM, happy holidays and we will see you in the new year! Here’s to 2020.

The Effects of Compromised Personally Identifiable Information

November 12, 2019 at 2:42 pm by Paul Falcone

Today more than ever, data security is a hot-button topic, with serious data theft and data breaches seemingly occurring on a daily basis. Since storing sensitive personally identifiable information (PII) is now the norm for virtually all businesses, it is incumbent on those businesses to consistently ensure the integrity of that information.

Around the world, consumers are justifiably growing more concerned about data privacy. The European Union and countries such as Canada and the United States work to protect their individual and corporate citizens by enacting and enforcing regulations that restrict the use and flow of PII, as well as mandate how PII is stored, disseminated, and destroyed.

Although organizations subject to PII regulations incur steep fines for noncompliance, the consequences can be significantly more severe for the individuals whose PII is breached. For example, compromised data can be exposed to manipulation and illegal transactions that ultimately lead to wholesale identity theft. In 2017 alone, identity thieves pilfered $16.8 billion from 6.64% of U.S. consumers, or approximately one of every fifteen people.

Within an organization, it is critical that your data storage and data end-of-life destruction processes are invariably sound and thorough and executed error-free. As the following real-life examples demonstrate, any instances of irresponsibility or lapses in oversight—such as discarding paper without proper shredding or disposing of still-readable hard drives—can have dire consequences, particularly to individuals’ livelihoods and reputations.

2017: Medical Records in Public Trash Bins in Hawaii

An anonymous resident of Palolo, Honolulu, found a stack of approximately 50 residents’ personal and medical information while using a public-access trash bin. Evidently, a local therapy center discarded the paperwork without taking the necessary security measures. The documents contained a “fraudster’s treasure trove,” including complete social security numbers, pictures of driver’s licenses and extensive medical information. Thankfully, the documents fell into the right hands; otherwise, lives could well have been ruined.

2019: Used Electronic Storage Devices Contained PII

Companies relying on a data removal plan rather than a data end-of-life destruction plan should reconsider their strategy. A recent study conducted by Blannco analyzed 159 used storage drives purchased from eBay. The data removal company discovered that an astounding 42% of the drives (66) still contained data. More disturbingly, more than fifteen percent of the drives (25) still contained PII. Furthermore, one of those drives came from a software developer that had been granted government security clearance.

In another recent study, a Rapid7 researcher procured 85 discarded hardware components from businesses, including old computers, flash drives, phones, and hard drives. Of the 85 devices, only two had been properly wiped and only three were encrypted. In total, the researcher collected 611 email addresses, 50 birth dates, 41 social security numbers, 19 credit card numbers, six driver’s license numbers, and two passport numbers.

2010: Australians Have Identities Stolen by Hit Squad

Imagine being six-months pregnant, living in Israel, and yet somehow being wanted for murder in Australia. In fact, it’s a real-life nightmare for a former Melbourne resident. In 2010, she was one of three Australian citizens living in Israel who had their identities stolen and used by members of the Mossad hit squad while carrying out an assassination. In each case, the three individuals’ PII was swiped and used to forge passports in their names with the perpetrators’ photos. It has never been definitively determined how their PII was compromised.

2016: Albuquerque Man Arrested for Fraud—When He Himself Was the Victim

In 2016, a dispatcher for the Kirtland Air Force Base Fire Department and military veteran with a security clearance and no prior arrests was pulled over, detained, and booked in Las Vegas, New Mexico, on an outstanding fraud and forgery warrant. Subsequently, it was determined that a younger man had obtained the individual’s personal information in the fall of 2015. This younger man used the stolen ID to cash a check and was seen on camera. Despite marked differences in the two men’s physical appearances, the Albuquerque Police still issued a warrant for the dispatcher, resulting in a highly traumatic experience (which, by the way, led him to file a suit against local law enforcement).

2019: Woman Arrested After Identity Thief Steals Car Using Her Name

A 25-year-old Indiana woman was recently arrested and booked on charges of auto theft when an impersonator used her driver’s license to test drive and steal multiple vehicles. The woman did not know she was being investigated until she was detained two weeks after an incident. While she believes the identity theft was likely the result of a stolen purse, the exact circumstances are unknown since no arrests have been made.

Although it’s often impossible to know whether compromised data is the result of inadequate end-of-life procedures, faulty storage protocols, illicit cyber activity, or everyday petty theft, an overriding theme emerges from the above examples: given the extreme sensitivity of PII—and the dire consequences for individuals when PII is compromised—it is the legal and ethical responsibility of all businesses possessing PII to protect it. The onus is on them to ensure all reasonable measures and precautions are taken to ensure its absolute security and integrity, and, ultimately, its utter, irreversible destruction at end-of-life.

Companies like SEM provide state-of-the-art data end-of-life solutions that ensure PII is destroyed to the point of non-recovery, thereby mitigating the attendant risks of data theft and compromises for both individual and corporate citizens alike.

Data Security in an Unsecure World

June 25, 2019 at 3:18 pm by Paul Falcone

As the world continues to move further into the digital era, data security has been an ever-growing concern. Cybercrime continues to climb as digital data becomes more and more prevalent. In light of these facts, data security has become a critical focus for individuals and companies alike.

Why Data Security Matters

In our constantly evolving world, data security becomes more critical by the day. As it currently stands, nearly all personally identifiable information (PII) and other sensitive information is digital. In a world where a data breach could lead to widespread identity theft and access to other critical information — from military secrets and classified information to bank accounts and medical records — data security is quickly becoming a key issue for every type of organization. There are numerous best practices for improving cybersecurity, most of which involve digital safeguards; however, it is also critical that end-of-life drives be physically destroyed.

Digital Data Security

Securing data digitally is one of the most critical steps in protecting information, and there are a few methods that can be used to protect data digitally. The first method is encryption. Encryption essentially morphs your data into code that can only be read via an encryption key, or in the case of digital data, certain machines and users. Encrypted data will show up scrambled and unreadable to anyone who attempts to access it without the proper encryption key.

Another method to protect data is called data masking, which is the process of hiding the original data from a file with modified data that looks real. Data masking is useful because it protects personal information from anyone who happens to find their way into a personal file. Furthermore, data masking helps in case of theft, as the thieves would have no way of telling which parts of the data are true and which are false.

A simple method of data security is authentication, or simply put, the usage of passwords and logins to allow access to certain files. Authentication is important because it allows access to the data from those who need it, whilst locking out those that would use it for nefarious means. Authentication has problems in the form of a hacked account allowing access to the data, but thanks to two-factor authentication, hacking into an account now requires access to the account holder’s phone and/or email. Two-factor authentication essentially requires a login and password to be supported by a code sent to either an email or phone number.

An interesting method of data security is one that doesn’t protect the data, but rather makes sure that the data still exists should it be hijacked. Data backups are vital to the world of data security because they save the data should something happen to the original source. Should the hardware fail or the data be hit by a virus or hacker, the backup will restore the data. Data backups even help with unexpected physical destruction, as in case of a fire.

A fifth method is data erasure, which is exactly what it sounds like. Data erasure is the deletion of data from a drive that goes beyond the general deletion used in day-to-day life. Elimination of data from drives is vital because of the threat the drives pose at end-of-life. Wiping the data is an effective way of eliminating the data on the dead drives when done with a degausser, such as SEM’s EMP-1000HS. That being said, wiping the data is not the only step that needs to be taken for maximum security at a drive’s end-of-life.

Physical Destruction

In order to properly protect data, end-of-life drives must be disposed of properly. It is fairly simple to recover data from dead drives, and with the expansion of the cloud, old drives pose an even larger threat. The safest way to destroy dead drives is to physically destroy and dispose of them on-site, so the data never leaves the premises or falls into the hands of someone outside of the company. The best way to destroy end-of-life drives is to use a data destruction device to physically crush, shred, or disintegrate the drive in question. If a company or organization fails to properly destroy data at end-of-life, the potential for a large data breach increases exponentially, as does the liability associated with such a catastrophe.

Data security measures must be thorough and constantly evaluated in order to ensure data privacy and integrity. While the methods set into place now are effective, including digital safeguards and physical destruction at end-of-life, we must practice constant vigilance as technology continues to improve, lest cybercriminals gain the upper hand in the battle for data.

The Poorly Stitched Patchwork of US Data Security Policy

May 9, 2019 at 5:24 pm by Paul Falcone

Every few months it seems like we have a new data breach that exposes hundreds of thousands – if not millions – of individual’s personal and private data. From the Equifax leak in 2017, to Yahoo in 2013, to the Marriott in 2018, customers are losing faith in companies to properly handle their private data. In fact, as of 2017, over 64 percent of Americans have personally experienced a data breach, and with the latest leaks over the last two years, it’s fairly safe to assume that the number has grown even higher.

As the rest of the world continues to move towards a singular, comprehensive, and consumer-focused data security protection plan, the United States continues to fail to pass any meaningful legislation. This lack of forward movement, coupled with the fact the U.S citizens are more concerned for their data than ever, has led to individual states taking the responsibility onto themselves. The problem, however, is this only makes more headaches for both consumers and companies as a whole.

So what laws are in place right now?

Right now, instead of a unified regulation for personally identifiable information (PII), individual industries are given regulations. The healthcare industry and the credit card industry are two examples of this, governed by HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS (Payment Card Industry Data Security Standard), respectively. While having some sort of regulation can provide clarity for companies and more transparency for citizens, the truth is states can pass their own regulations within these industries, making a state by state case of how a singular company might have to respond. Confusing, right?

To fix this, some states, like California, have decided to try and lay the groundwork for a more uniform consumer-focused, approach. The California Consumer Privacy Act (CCPA) that was passed in 2018 will be going into effect January 1, 2020 and looks a lot like Europe’s General Data Protection Regulation (GDPR) that went into effect in 2018. The Act, which would affect any company who does business with customers who are citizens of California, would provide the following protections to consumers:

- A consumer must be notified of what personal information is being collected, how it is collected, and whether it will be disclosed or sold.
- Consumers must have the right to easily opt out of having their personal information sold.
- Consumers must be informed that they have the right to have their personal information deleted. The process to do so must be easy and straightforward.
- A consumer exercising these new rights cannot be discriminated against as a customer for opting out of any data sharing or for having their information deleted.

This is a good start for not only consumers in California, but across the U.S. As stated above, this Act would affect any company that does business with consumers in California; meaning that companies that exist in other states, but still sell to California, will be affected.

Other states including Colorado and New York also have their own state laws that they have passed. In Colorado, the Protection for Consumer Data Privacy Act was passed in September 2018, while in New York the Stop Hacks and Improve Electronic Data Security Act was first introduced in 2017. In fact, 35 U.S. states currently have some form of data privacy and disposal regulation in place. And all of these regulations have variations from the California Act, which makes it even more difficult for companies to comply to when doing business across state lines.

So why isn’t this happening at the federal level yet? There seems to be bipartisan support with bills being submitted from both sides of the aisle, but progress has been slow. As these data breaches continue to happen, policy at the federal level will have to jump in sooner or later. Over the last year, five separate bills have been drafted and submitted to Congress with varying takes on the governments roll on regulation. The bills include the following:

- The Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act by Richard Blumenthal (D) and Ed Markey (D).
- The Social Media and Consumer Rights Act of 2018 introduced by Amy Klobuchar (D) and John Kennedy (D).
- The Consumer Data Protection Act introduced by Ron Wyden (D).
- The Data Care Act introduced by Brian Schatz (D).
- The American Data Dissemination Act (ADD) introduced by Marco Rubio (R).

Each of these bills looks at the issues of data security from a different point of view and has various opinions on the role of government, how much access a customer should have, and what the consequences for responsible parties should be in the result of infractions.

The CONSENT Act by Blumenthal and Markey was proposed in April of 2018 and looks to have the Federal Trade Commission (FTC) draft a set of federal rules around suggested guidelines. These suggestions are for the consumer to have to opt-in to have their data collected and used as opposed to having to opt-out, like so many companies do now. The Act also suggests that the consumer would have the right to know, if they opted in, how their data was used and to whom it was going. It would also prohibit companies from refusing service to consumers who refuse to share their data.

The Social Media and Consumer Rights Act of 2018 was introduced in April of 2018, just two days after the CONSENT Act. The Act was drafted by Klobuchar and Kennedy and shared many similar ideas to the CONSENT Act. This Act aimed to make data collection from companies more transparent and give the consumer the ability to both opt out of data collection and the ability to view what data has been collected. A following key point was that in an event of a data breach, all affected parties must be notified within the first 72 hours of detection. The FTC would be the governing body and individual states attorney generals would act as the civil enforcement.

The Consumer Data Protection Act by Wyden was introduced in late fall 2018 and carries a lot of the same ideas as the previous two. The Act suggests that consumer have the right to opt out instead of opting in to data collection, and that companies be more transparent with how the data is used. He also suggests that the FTC be provided with increased funding to be able to properly oversee these new regulations. However, the big difference in senator Wyden’s Act comes from the penalties companies should face.

In the Act, Wyden suggests that any company that has revenue exceeding one billion dollars or warehouse data on over 50 million customers must submit an “annual data protection report” to the government detailing the steps taken by the company that year to protect customer data. The catch is that if there is any misinformation or attempt to willingly mislead the FTC, there can be a five million dollar fine and up to 20 years in prison for executives. The severity of the penalties make it a strong contrast to the two acts the came before it.

Next was Brian Schatz’s The Data Care Act, which was proposed on December 12 in 2018 and builds on all the bills proposed before it. The Act calls for companies to be more secure in handling their consumers data and states that consumers must be notified in the event of a data breach. The FTC would be given the power to penalize companies that are misusing consumer data, as well as hold them responsible for all information given to third parties that originated within that company. The Data Care Act broke down its mission into these bullet points:

- Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information.
- Duty of Loyalty – May not use individual identifying data in ways that harm users.
- Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data.
- Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene.
- Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

The Data Care Act had the largest following, with 14 other Congress members co-sponsoring the proposal.

Rubio’s American Data Dissemination Act takes a different angle. Proposed in February 2019 with no co-sponsors, his bill suggests that the FTC themselves draft up the rules, like the CONSENT and Data Care Act, and send them to Congress for approval. It is stated that the FTC would seek to create rules for the “tech giants” while exempting smaller companies from the same rules, allowing them a chance to be competitive within their industries. The Act would prioritize consumer welfare over corporate welfare and would preempt state law, meaning that this would supersede the state laws that are being drafted and implemented in individual states. Unlike the previous proposals, Rubio’s was more open to the FTC drafting the ruleset with fewer suggestions beforehand from him directly.

So where are we now?

While none of these proposals have gained a lot of traction, they serve as a spark that spreads into a conversation among consumers, politicians, and companies alike. The fact that these proposals keep coming show that it’s not a matter of if, but a matter of when the U.S. will have a federal data privacy policy.

Around the world, Europe, Japan, and Canada are all making uniform approaches to keep data security laws the same across their countries. This makes the guidelines easy to follow for companies and easy to understand for consumers. In Europe, GDPR has seen a launch with increased consumer rights and companies already being penalized for failing to comply. Canada had the Personal Information Protection and Electronic Documents Act (PIPEDA) go into effect November 1, 2018, further protecting the personal information of their citizens and holding companies responsible for breaches. In Japan, a Personal Information Protection Commission was created to enforce a regulation that would be in compliance with GDPR’s new guidelines.

Soon the U.S will have to follow suit, and it will make everyone’s data safer in the process. But it’s not hard to make something that is safer than the poorly stitched together patchwork of polices that we have in place now. A patchwork where we’re one data breach crisis away from it all ripping apart.

Security Engineered Machinery is the Global Leader in High Security Information End-of-Life Solutions.

Credibility Counts, Ask Around

April 9, 2019 at 3:44 pm by Paul Falcone

We’ve all had a point in our lives when we need to purchase something that we know we need but don’t know much about.

Maybe you’re in a store looking for something, with eyes frantically browsing the shelves looking at all the different items. Trying to distinguish the difference between all the various products, versions, and makes. As the choices add up, maybe you decide it’s best to ask for someone’s opinion. Someone who works at the store you’re in happens to be walking down the aisle and you signal for help. It is in this moment that you start deciding if this person has the knowledge to be able to help you or not.

Because after all, they could have just as little knowledge as you about this product.

After having a discussion you discover that it was true, the employee wasn’t as knowledgeable on the product to make you feel comfortable with a purchase. So you head home with empty hands, deciding that you’ll take your questions elsewhere. Somewhere with all the answers in the world.

The internet.

The internet can be an equally overwhelming place when trying to find accurate information about a product. In a world that is becoming more and more connected, the amount of information that is available to us is growing exponentially. How can you sort through all of this information and deduce what is accurate and honest information, especially with people out there trying to scam and get the best of you?

Sites like Amazon and Google try to combat this by showing us user review scores and comments of people who have purchased items. But even these can be manipulated. So when it seems like it’s impossible to find the information, who can you really trust?

How do you know you can trust a product?

Ask around. They say word of mouth is the best kind of marketing and real people who have used the products can give you the most honest answers. Chances are if you’re in the market for a high security destruction device, you know someone who has worked with Security Engineered Machinery, the global leader in high security information end-of-life-solutions for over 50 years.

At Security Engineered Machinery, we have the experience to answer any questions you may have concerning your sensitive to classified destruction needs. Most of our sales team has been in the industry for over 20 years. We have more experience creating destruction solutions than any other company. We were founded in 1967 and have 52 years in the destruction business, granting us an unparalleled depth of experience. Document and media destruction is our ONLY business and we are 100% focused on improvements.

When you purchase a system from SEM, you can feel confident you will receive the quality and support you’ve come to expect from us. The sales team at SEM hold integrity above financial gain and are always willing to go the extra mile. Our clients, many of whom are repeat customers, are among an elite group of security professionals in the government as well as the civilian sectors who have used our machines in various offices and locations worldwide. When moving to a new location and they need a new destruction device, they inevitably contact SEM – and that’s the best testimonial you can have.

Why do we have so many long term relationships? Value: you will get the quality you expect. Convenience: it does what we say it will do. Customer support: we will be here to help you through the life of your machine. Service: our dedicated service department is ready to assist at a moments notice.

Most importantly, SEM has the expertise and the knowledge base to meet or exceed your expectations as well as the most knowledgeable sales team in the business with the highest integrity to solve your destruction problems.

Sarbanes-Oxley and Data Destruction: How to Best Comply

March 11, 2019 at 4:00 pm by Paul Falcone

If you operate or manage a public company or a non-public company with publicly traded debt securities, you’ve certainly heard of the Sarbanes-Oxley (SOX) Act of 2002. This law is also aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act”.

The SOX Act was enacted by the US federal government to address the standards by which the management and board of directors of any domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity.

The SOX Act aims to strengthen the audit committees of these US-based public companies as well as hold the management and officers liable to the accuracy of the financial statements for the business. In so doing, this Act works to prevent securities and investment fraud by the organizations covered under SOX.

General Regulations of the SOX Act

The Sarbanes-Oxley Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.

Data Security Best Practices

When it comes to financial data end-of-life cycles, it’s therefore extremely important for companies covered under the SOX Act to appropriately destroy their data so that the information contained cannot be accessed or reconstructed. In so doing, the company further maintains SOX compliance and ensures fraud prevention of its financial reporting, even as the data has been slated for decommission.

This means not only proper disposal of the data, but also of the hard drives or electronic storage media housing the data. Organizations covered under the SOX Act must use the proper channels and procedures for data destruction. Such methods include overwriting non-sensitive information with software or hardware to clear the data (not recommended due to the recoverability of data from “erased” drives),  degaussing the media  and rendering the magnetic field permanently unusable, or  destroying the media by disintegration, pulverization, shredding, melting, or incineration.

Rather than work with a third party off-site to destroy the data and drives, it’s recommended that the organization create a designated, private space within its premises for the data destruction and drive disposal. The organization should also consider limiting access to the data and drive destruction procedures within the private space to only a select number of authorized personnel. Enforcing restricted access within a private, on-site space further protects and secures the data from theft and misuse.

Final Considerations for Data Destruction

Working with a vendor like SEM that provides on-site data destruction machinery is essential to maintaining control and security over your financial data. Allowing your data to leave your premises by a third party can be extremely risky because they are not liable for your data security. For instance, imagine if that third party you hired did not actually destroy your drives but instead sold your financial data to an outside party.

It’s also a good idea to check that the vendor you are working with has machinery that adheres to NSA and NIST 800-88 guidelines for data destruction and SOX Act compliance.

The True Cost of Data Breaches

March 1, 2019 at 9:14 pm by Paul Falcone

While you may be hearing about them more and more frequently, the truth is data breaches have been occurring since before the digital age. For instance, unauthorized personnel who view a hard copy of medical files without authorization is considered a data breach. But it’s our majority reliance on digital platforms to store data that has brought security issues and, thus, data breaches to a whole new level. In fact, identity theft from exposed data records is the most common type of data breach accident across the globe.

Data Breaches are Rising

According to recent statistics as compiled by Statista, data breaches across the United States have been on the rise for over 10 years, and it’s not a small incline by any measure. In fact, recorded number of breaches in the US have gone from 157 million in 2005 to 1.579 billion in 2017. What’s more, nearly all these 2017 breaches were amassed in the business sector.

In the first half of 2018 alone, there were 668 million breaches recorded, totaling over 22 million data records that were exposed.

The Costs: More than Just Money

The rise in data breaches has also caused a correlated rise in the financial costs of the breaches. In fact, a recent study conducted by IBM Security and the Ponemon Institute reported that in 2018, the average global cost of a breach was up to $3.86 million, and the average cost per exposed data record was $148 per record. These increases are largely due to the increase in data breach sizes. That is, the financial costs of data breaches keep going up because the data breaches themselves are exposing larger amounts of data.

These financial costs extend beyond the money that is paid out by the organization to recover the exposed data. For one, if the organization is publicly traded, it’s stock value could decrease. For another, it’s shareholders or stakeholders could also decrease, furthering the financial loss of the organization. In addition, if the breach includes information on European citizens, fines imposed under GDPR can total up to 20 million Euros or four percent of the company’s global annual revenue, whichever is higher.

Yet, financial is just the tip of the ‘iceberg of cost’ for organizations that become victim to a data breach.

Data breaches involve such private data as Personal Health Information (PHI), Payment Card Information (PCI) as Personally Identifiable Information (PII), as well as trade secrets and intellectual property. When these types of personal data are exposed, it can compromise not only the integrity and reputation of the organization from which it came, but also its consumer base. On an individual level, it could negatively affect everything in that person’s life; from their ability to buy a home and get a job, to that person’s financial standing and even their mental health.

The effects on the consumer level can then have even more adverse effect on the organization, because with a data breach comes a more intangible breach, one of trust between the consumer and the organization. Often, when a consumer loses trust in an organization, it is extremely difficult to build back that relationship.

It’s not an easy fix. It takes a lot of time and persistent effort on the part of the organization to earn that trust back; whether that’s literal time and effort on the part of the organization’s employees, or money and time spent in PR management and in marketing communication to try to change the consumer’s perception of the organization. While some organizations have the business foundation and financial backing to recover from a breach, for others such reputational and consumer damage could be catastrophic to the business. In fact, approximately 60 percent of small businesses that suffer a data breach go out of business within six months.

Of course, one way to ensure this data security within your organization is to protect your data and destroy old drives as soon as they reach their end-of-life cycle. Proper data disposal means destroying both the data stored as well as the device or media on which the data is stored. It’s important to remember that for digital media, the device should first be degaussed before it can be destroyed by means of shredding, pulverization, melting, disintegration, or incineration, rendering both data and device unreadable and unable to be reconstructed.

You can work with a third party vendor who will destroy your data and drives for you; however, the safest and most secure way to dispose of data is to work with a vendor like SEM who provides your organization with the necessary data disposal machinery that can be kept on-site and be used only by your authorized personnel. By keeping the end-of-life destruction on site, you not only have the most secure procedures, but save the most money.

Ultimately, don’t take the chance when it comes to breaches. The real cost is too great – losing money, your business, and your entire company or organization is preventable. Take the steps today to ensure your future is safe and secure.

For more information on how maximizing every square foot of your facility with in-house data destruction is the best financial investment when it comes to proper data security, you can hear from Ben Figueroa, SEM’s Global Commercial Sales Director, below.

How to Maintain Data Security in the Secure Printing Industry

February 25, 2019 at 2:12 pm by Paul Falcone

Let’s Get Personal.

When you work in the secure printing industry, you’re working with Personal Identifiable information (PII) every day. Regulations like the Fair and Accurate Credit Transaction Act (FACTA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and Intergraf have changed the way that we handle and process paper, credit cards, printing plates, and more. So, with all these rules and regulations, are you taking every step necessary when these prints reach the end of their life and need to be securely destroyed?

The Risks:

You may feel that your company or organization is doing a good job destroying data because you’ve been breech-free and have had no major security problems. But in private data and security, threats are constantly evolving, changing, and adapting to the systems that are in place. If you end up being the victim of a breach and word gets out, the following can happen:

– Loss of customers/clients and confidence in your business
– Fraud losses, legal costs, and fines/penalties
– Ultimately lose jobs and go out of business

In fact, studies show that over 60 percent of small businesses that experience a breach never recover and end up going out of business within one year. To avoid this, you need to have a preemptive plan of how to destroy sensitive data correctly and efficiently.

Destruction Guidelines: What Do I Do?

Paper:

A high quality data destruction shredder can be used to shred all documents that contain any PII. According to FACTA, a shredder needs to make paper unreadable and unable to be recovered. For print, this includes shredding, pulverization, and burning. The NSA standard for print to be unrecoverable is a 1mm by 5mm particle size. A machine like the 244/4 High Security Paper Shredder would do the trick.

In Europe, GDPR not only pushes for just the secure destruction of PII. According to Article 17, the “Right to Erasure”, any consumer can request to have all their personal information wiped from a company at any given time. If a consumer makes the request, the company has 30 days to comply to remove all sensitive information they have on the individual. GDPR standard for paper destruction is a 10mm particle size. This Unclassified shredder list will meet the standard set forth by the GDPR while allowing you to choose a model that fits your workload.

Credit Cards:

When creating a new credit card data, PII can be left behind before the card is even shipped out. Within the process of printing information on a new card, a printing plate is used to create the lettering, design, and some of the security features on the card. In the same manner, tipping foil that is used to personalize cards can have the numbers from the card left in the foil after use.

To be properly secured and maintain client security, all parts of the process must be properly destroyed, including the credit cards themselves. Intergraf, the European federation for print and digital communication, is a rising standard that is quickly becoming adopted in the secure printing industry. The most security-focused printers are choosing to become Intergraf certified, as more and more clients begin to request that their information is properly handled and destroyed. The standard for printing plates is DIN 66399 P-1, while for credit cards the standard is a minimum of P-5.

Credit cards shredded to the DIN 66399 P-5 standard.

When you have a large load of cards to destroy, a machine like the 0201 OMD Optical Media Destroyer would be more than enough to securely destroy cards to a size no one could recover. If you need to destroy credit cards, tipping foil, and printing plates, we recommend using a machine like the 1012/5, which not only destroys all the materials listed, but also runs free of oil.

While the world around us likes to say that print is going away, the reality is that it’s not. The steps that you take today to prepare for the destruction of PII could not only save you money, but your entire job and company as a whole. Keep up to date with the latest standards and use high quality shredders to ensure that you maintain data securely and professionally for you and your clients.

Security Engineered Machinery to Rebrand SITES Business Under SEM Brand

October 30, 2018 at 11:04 pm by Heidi White

Growing secure data destruction device manufacturer has said the change will take place on November 1

SEM will continue to provide the same product offerings and superior service that SITES clients have come to expect.

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, announced late Tuesday afternoon that it will no longer market SITES-branded equipment as of November 1. All products previously branded under SITES will continue to be sold globally under the SEM brand.

Andrew Kelleher, SEM President and Chief Executive Officer, says the decision to discontinue the SITES brand came as a result of extensive market research and product review. “The SITES brand was originally started to serve our growing commercial client base, but we found that there was significant overlap with our government and commercial clients,” said Kelleher. “We also found that there was significant product redundancy between the SEM and SITES brands, which the simplification will resolve. We are appreciative of our clients and resellers who have worked with us under the SITES brand and are diligently working through a seamless transition with them.”

In business for over 50 years, SEM sells primarily to United States federal government entities including the military, FBI, CIA, DoD, Department of State, and Department of Treasury. SEM will now also service existing SITES commercial clients including data centers, financial services companies, healthcare organizations, security printers, and cloud solution providers and will directly market to commercial clients under the SEM brand moving forward.

“Eliminating the SITES brand enables us to sharpen our focus on the strong industry reputation and significant global brand awareness of SEM,” added Kelleher.

SEM will continue to support existing SITES products through parts availability and its world-class sales and service teams. The new commercial section of the SEM website can be accessed via the green tab at the top of the page.

SEM Shred

Tag: SEM