An interesting article from Malwarebytes highlights an areas of IT security that is often neglected, the firms that repair IT equipment.
A recent study (in the US but are things so different here?) found that commonly:
- Privacy notices were not offered and sometimes did not exist
- No mention was made of data safeguarding
- Login credentials were asked for, even if they were not needed
- Personal data (sometimes with credentials) was printed and attached to the item under repair
You can see the blog article at https://www.malwarebytes.com/blog/news/2022/11/repair-firms-might-be-rifling-through-your-personal-data but your IT security policy (part of your data protection / Cyber Essentials policies and procedures) should cater for this. I would also add disposal of IT equipment as a potential risk.
If you cannot see what the fuss it about, or would like to get some ideas on what should be in your policies, you are welcome to get in touch in any of the normal ways, use https://zorva.info/about-us/contact-us/ or by booking a 20-minute insight call at https://zorva.info/free-insight-call/ (for TinoPai members, but it’s free to join, and you get lots of other benefits including free live and on-demand webinars).