Could your business’ data also be published on Wikileaks?
If you don’t want to risk having your sensitive business data leaked, you need to take a serious look at how your company disposes of old PC’s, hard drives, servers and other storage devices.
Most businesses, both small enterprises and global companies, remember to protect their data by creating backup copies, using proper software or implementing procedures that keep their digital documents safe. Unfortunately, many companies forget that computers or mobile devices they no longer use may still contain sensitive proprietary data or even worse – information about their clients. Nevertheless, wiping strategic information is starting to be almost as important as data loss protection.
Almost every day the media report about data leaked from banks, government institutions or big international companies. At the beginning of 2011, a former Swiss bank employee provided Wikileaks with data of 2,000 former clients while at the end of 2010 NASA’s Inspector General revealed that during disposal of IT equipment used in the Space Shuttle program there was a serious breach of procedures connected with data safety.
Strategic data leaked as a result of neglect and improper erasure of information from computers prepared for sale. The problem concerned 14 computers, at least ten of which have so far got into private hands. The above scandals prove that even the biggest business and government institutions make basic mistakes in their data erasure procedures.
The source of the problem is not as it may seem lack of access to advanced technologies but lack of awareness concerning basic principles of data erasure.
New computers… what’s next?
When an employee gets a new computer and there are no procedures for protection and erasure of data it is almost certain that our data can leak. It is worth mentioning that many institutions suffer data leakage before old computers are replaced with new ones. Experts estimate that 25 per cent of computer users send corporate email to their private accounts and 20 per cent of them send email with classified information to friends and third parties.
But what happens to a computer the company does not need anymore? There are two possibilities. Either a colleague gets it or it is sold to a used computer dealer or scrapped.
When the company disposes of a computer, the most common way of removing data, unfortunately quite ineffective, is reformatting. However, after this operation all data is still accessible, even for a data recovery amateur, who may use a good and widely available data recovery program, such as EasyRecovery.
According to a global data wiping survey conducted in 2010 by Kroll Ontrack in North America, Asia and Europe, only one out of two businesses erase sensitive digital documents from unused computers and hard drives. As many as 75 percent of them do not delete data securely.
According to Kroll Ontrack Annual ESI Trends Survey 2010 concerning digital data storage, global companies suffer loss of sensitive digital data stored on old media once a year on average. The results of the global survey also revealed that 40 percent of companies donate their old computers with the stored data to other companies or individuals and 22 percent “do not know” what happened to equipment they no longer use. Moreover, according to the experts, over 60 percent of company computers available in the second hand IT market contain business data which are fully accessible and have not been subjected to even the simplest data wiping methods.
How to erase data effectively?
There are two ways of irretrievable data wiping – a software and a hardware method. The former uses applications dedicated for irretrievable data wiping. It is worth noting that with today’s density of data recording it is enough to run a single full cycle of overwriting to prevent data retrieval. This feature is used by many data erasing programs but the most professional ones, such as OntrackEraser, overwrite data many times.
Although software data erasing is a reliable and safe method of data wiping, it is impossible to use in some circumstances.
Such situations may for example include damaged data storage media. Although damage of the drive makes direct access to data impossible, unauthorised persons repair the device and may gain access to data.
Another group of instances when software data erasing is not a method that guarantees absolute safety concerns technologically advanced media. With advanced laboratory methods it is possible to access the media and consequently to access data stored on them.
Using other methods than software data erasing is sometimes prompted by more mundane reasons. If we are dealing with a large number of media and we are short of time, we may consider methods that are faster than software data overwriting.
One such method is degaussing, which wipes the data using a strong magnetic force that irretrievably wipes all information recorded on the magnetic layer of a storage medium. In the case of hard drives this method also makes it possible to erase data necessary for proper operation of the drive, which is a guarantee that after degaussing the drive is no longer usable.
In summary, many organisations have clear document retention policies that specify how long important data, such as financial or customer records, need to be kept. But many of these same businesses don’t have clear policies for handling data that no longer needs to be retained or for disposing old PCs, hard drives, servers and other data storage devices.
“Simply ‘deleting’ all of the files stored on a hard drive or other storage device before recycling it does not protect those files from being recovered. Businesses should take IT security to the next level of zero tolerance when it comes to a potential data leakage.