data-walking-out-door
Data Privacy and Security

How much of your data is just walking out the door?

This is a contributed piece by Paul Henry, IT Security Consultant at Blancco Technology Group

A new BYOD & Mobile Security report from Crowd Research Partners has revealed just 38% of organisations are currently implementing data removal at the point an employee leaves the organisation or a device is disposed of. Even those that are, aren’t necessarily using the right methods to ensure data is truly erased. I’d love to say I’m surprised, but my own experience has taught me that hardware retirement is one of the most overlooked areas of data security.

Over the past seven or eight years I’ve personally purchased at least 800 hard drives on eBay and retrieved data from all but one of them. I’m talking thousands of emails, photos, videos, company documents and even tax returns. This is all information that would be considered highly valuable to cyber criminals. I’ve seen several studies which show much the same result when the experiment is repeated with mobile devices.

Whether employee or corporate-owned, the risk of physical devices which contain sensitive data falling into the wrong hands is very real. Yet, it would be foolish to think resisting BYOD can do anything to alleviate these concerns. In truth, corporate devices are just as likely to have a second life outside of the enterprise. Plus, through desire or necessity, at some point most employees are going to end up using their mobile device for work purposes whether or not they have been sanctioned to do so beforehand. To guarantee security, risk control measures have to be implemented from the perspective that every device connecting to the corporate network is implicitly insecure.

With so much at stake I find it both surprising and frustrating to see that most companies still don’t implement strong risk control measures. As IT professionals our first job therefore has to be to work together and educate our organisations about the need for data to be better managed across its lifecycle. Getting more specific, our second job then has to be to ensure the specified methods for data removal are fit for purpose and consistently applied. This may sound straightforward but in reality there is widespread misunderstanding of the difference between deleting and erasing data.

There are many ‘deletion’ methods that exist and are used by people and businesses, but not every one is capable of wiping data properly and completely. For example, there is a common misapprehension that simply restoring a device to factory settings will keep data safe, when in reality all this does is move it into an unallocated space. To use a simple analogy it is the equivalent of deleting a library’s referencing system but leaving all of the books sitting on the shelves. Another common mistake is assuming that when a device is traded in or replaced somebody else will wipe the data on their behalf. Failure to take responsibility for this and failure to verify the authenticity of the method being used is foolish in the extreme.

As a security expert who has advised so many companies and government agencies this frustrates me. Particularly as, with enough forward planning, introducing processes that ensure data can be securely erased from any device that has access to the corporate network isn’t particularly difficult.  For example, one way to do this is to ensure data erasure software is pre-installed before mobile devices are allowed to connect to the corporate network. That way the devices can be wiped clean from the cloud when it’s time for the employee to leave the organisation.

Enterprises simply have to change their way of thinking about data management across its entire lifecycle. If you think about mobile data security as a whole then data erasure is of course one very small piece of the puzzle. Yet it is the one that is frequently overlooked and which causes some of the biggest vulnerabilities to emerge. In most organisations, once sensitive data has walked out of the door it is almost impossible to do anything to protect the company’s reputation by preventing it from falling into the wrong hands. That state of affairs needs to change and it needs to change right now. 

PREVIOUS ARTICLE

« Viewpoint: How the role of data centre engineer has evolved

NEXT ARTICLE

The real meaning of… Bitcoin »
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Amazon Cloud looms over China: Bezos enters Alibaba home ground

Lewis Page gets down to business across global tech

Poll

Do you think your smartphone is making you a workaholic?