Don't sell your corporate secrets on eBay

Every couple of years, a research team makes the headlines after buying discarded hard drives, laptops or desktop PCs to see what kind of data they can salvage. In 2003, research was conducted by two graduate students - Simson Garfinkel and Abhi Shelat - who purchased just over 150 second-hand hard drives, approximately one third of which still contained confidential information.  Two years later, it was a German team which discovered that seven out of every ten used hard drives bought on eBay contained readable data. 

The most recent example occurred in May 2009 when an English-led team restored an eBay-purchased hard drive and revealed the launch procedures for a US air missile defence system. The drive also contained defence-related policy documents, facility blueprints and sensitive contractor employee data. Other hard drives purchased by the team contained medical records, bank account details, confidential business plans and corporate financial data.

Despite all the research and the publicity, it seems as though governments and companies still have a long way to go with respect to successfully managing the entire data lifecycle.

Look after your current data
The question of data security is a fundamental part of how you look after data.  A recent Kroll Ontrack survey of 945 IT managers across the Asia-Pacific found that data loss had affected just over half of all respondents within the last two years.

The survey also showed that - whilst backups remain the most common way of restoring lost data - only 41 per cent of companies test for the ability to restore from a backup on a monthly or more frequent basis. Smaller companies are the worst at checking backup restoration with 35 per cent of them stating they do this "sporadically, with no time frame." More worryingly, nearly one quarter of companies acknowledged that their data is productive for one day, yet they back up every three days or less.  This means that their backup frequency does not match their business requirements for restoration.

The Business Continuity Institute's Good Practice Guidelines make it clear that responsibility for continuity remains with an organisation, regardless of outsourcing arrangements. Companies should enforce stringent parameters for selecting outsourcing providers and insist on regular testing of backups and erasure verification services in order to avoid the potential for data loss that could lead to serious business interruption.

Data retention policies
The survey also showed a major gap in the number of companies prepared for the end-of-life of their data, with just over half of all organisations admitting to a formal policy for the retention (or preservation) of corporate data.

When it is time to delete files or retire storage devices, 36 per cent of respondents stated that they use data erasure software. A further 21 per cent nominated the use of demagnetising devices, while 31 per cent said that they destroy their old storage devices.  Larger companies use a mixture of all three, while the smaller ones tend to rely more heavily on data erasure software. The smaller companies are also the most likely to underestimate the importance of their data and frequently fail to put in place formal erasure policies.

However, an alarming 24 per cent of respondents have no formal policy for erasing sensitive information. It is this group - nearly one quarter of all the companies involved in the survey - that  contains the most likely candidates for embarrassment in the next hard drive restoration study.

Find it on Google
A Google search on the phrase "restore erased hard drive" returns approximately 657,000 results. It takes less than a couple of minutes to locate literally hundreds of sites offering hints and step-by-step processes for restoring erased or lost data. Companies that allow old hard drives to be auctioned off or otherwise disposed of without first giving due thought to removing the contents need to understand that they run a serious risk of publicising their corporate secrets. 

What happens to data from the beginning through to the end of its lifecycle is just as much a matter of IT security as the corporate firewall or intrusion prevention solution. First, maintenance and testing of the disaster recovery plans needs to be done on a regular basis. Second, document your retention and erasure policies, and then adhere to them. With these two simple steps, you can save your organisation from a whole lot of heartache and make sure that your confidential data doesn't fall into the wrong hands.

The Business Continuity Institute's Good Practice Guidelines encourage a holistic approach to business continuity management. This includes identifying potential threats to an organisation that emanate from its technology infrastructure. Losing access to critical files or having them fall into the wrong hands is something easily avoided by having sound backup and erasure policies in place.

Adrian Briscoe is the general manager of Kroll Ontrack Asia-Pacific.