Thanks to the proliferation of data breaches around the world, CIOs, CISOs, IT managers, CEOs and boardroom executives face the arduous and complex task of safeguarding their organization’s proprietary information. Companies, however, tend to associate the threat of data loss with malicious actors or stolen property.
This has become a critical blind spot. Companies — and anyone else who touches or is involved with the collection, storage and protection of data — should instead be focused on a more subtle but just as dangerous culprit: their own improper data management practices.
Dead-Bolt the Back Door
It has often been said that an organization’s greatest asset walks out the door every evening, referencing the tremendous value of human capital. Yet what many don’t realize is that as employees stroll out the front door, another invaluable asset is silently exiting through a back entrance of the building.
Every corporate security policy today should include information life cycle management (ILM). It should also have data erasure procedures for IT equipment scheduled for recycling, donation or final disposal, and describe how to manage data that is no longer required, either at its end of life or as an ongoing process to reduce scope.
Most data removal policies currently implemented are part of a general physical asset management process. If — and only if — this is performed properly, it guarantees every physical IT device that leaves an organization does not contain confidential information. Other companies will have separate policies for both physical asset and data management.
The weakness in this approach is that data management is heavily tied to each physical asset’s life cycle, and in most cases, the data life cycle can be much longer or shorter depending on the type of data.
Companies need a solution that will detect a range of hardware — everything from smartphones to high-end servers, on-premises to virtual environments — and will address data management and removal needs on both a day-to-day basis and throughout the information’s entire life cycle. Such an approach must also track and report what was erased and who specifically handled the erasure.
Not All Data Deletion Methods Are Created Equally
There are a lot of deletion products in the marketplace that are easy to find and affordable, but not all are guaranteed to erase data completely and permanently, nor do they all comply with stringent regulatory standards. To add to an already persistent problem, many organizations count on resellers or third-party vendors to perform their due diligence and erase data before they resell as secondhand equipment. But this, too, is not a guarantee.
Beyond adopting and implementing a solution, organizations need to understand the critical difference between deleting and destroying data so that it is really, truly gone and has no possible chance of being accessed and hacked.
Most continue to operate under the misconception that they have totally removed data on retired equipment. I’ve seen this for years in working with some of the biggest enterprise organizations around the world. I also witnessed it when Blancco Technology Group and Kroll Ontrack conducted a data recovery experiment last year in which we purchased 122 used hard drives and mobile devices from Amazon, eBay and Gazelle.
Beyond the fact that we found hundreds of thousands of files — including emails, call logs, photos and videos — on the secondhand equipment, the most startling discovery was that a previous deletion attempt had been made on 57 percent of the mobile devices and 75 percent of the used drives that contained residual data.
Those deletion attempts included tactics that are often assumed to be reliable but are actually not, such as basic file deletion (dropping files into the trash bin), reformatting and resetting factory resets. The hard truth is that unless the data has been erased by randomly overwriting the data with zeroes and ones in accordance with legal requirements set by governing bodies, information can and will be retrieved.
Trust No One But Yourself With Data Management
The loss of sensitive data poses significant financial, legal and reputational ramifications. Looking at some of the big data management failures of 2015, no organization benefits from taking a passive approach to handling their information across the entire life cycle – from creation to collection to storage to transfer and to destruction.
Rather than wait until a worst case scenario occurs, teams both inside and out of the traditional IT departments need to get involved in data life cycle discussions now. They’ll have a closer eye on where mission-critical corporate data is being stored, as well as gain insight into how to securely manage the reduction and discoverability of data.
It’s the sole responsibility of a company, as the original user and owner of data, to properly sanitize information across its entire life cycle. When businesses take a lax approach and do not monitor how, when and where data is removed — or if they fail to obtain verifiable proof that all information has been removed permanently — they put the long-term success and reputation of the organization at serious risk.
CEO, Blancco Technology Group