In-Depth
Security: Data Disposal 101
According to a new study, more than half of U.S. businesses aren’t erasing data from computers or storage assets prior to retiring them.
After dozens of episodes in which sensitive data was lost, stolen, or misappropriated, you’d think most organizations would wake up and realize the critical need to safeguard data.
There’s at least one case in which safeguarding data means destroying data: when storage assets -- be they individual fixed disk drives in computer workstations or massive, multi-drive storage arrays -- are put out to pasture.
According to a survey from Kroll Ontrack, a software and services firm that specializes in data analysis and recovery, more than half of U.S. businesses aren’t erasing data from computers or storage assets prior to retiring them.
The results of the Kroll Ontrack survey read like a public service announcement for How Not to Retire Storage Assets. For example, 40 percent of organizations said they gave away their used hard drives, while more than one-fifth couldn’t say what they did with retired storage assets. The upshot, Kroll Ontrack estimates, is that as many as 60 percent of systems are still “fully intact” (and chock full of business data) when they reach the second-hand market.
Organizations are likewise laboring under a host of misconceptions when it comes to the secure disposal of data. Of the 49 percent of shops that say they “erase” storage assets, for example, few actually do so effectively. Instead, they take token steps (such as deleting files or reformatting hard drives).
"Three-fourths of businesses are deleting files, reformatting or destroying drives, or 'do not know' how they are erasing sensitive data,” said Jim Reinert, vice president of product development with Kroll Ontrack, in a prepared release.
“Deleting files from a hard drive only marks the files to be rewritten, which may never occur. Furthermore, reformatting the drive only removes the entries in the index or table of contents that point to the data, and physically destroying a drive is not a guaranteed method of protection.”
For example, Reinert says, Kroll Ontrack has successfully recovered data from drives that have ostensibly been destroyed.
Kroll Ontrack isn’t a dispassionate observer, of course. Not only does it market software and services designed to recover data from damaged or otherwise compromised sources, it likewise offers secure wiping products and services.
That being said, comparatively few of the companies it surveyed are consuming its -- or anyone else’s -- products or services. In a sample that included 1,500 respondents (from North America, Europe, and a smattering of countries in the Asia-Pacific region), less than one-fifth (19 percent) said that they use “data eraser” software. Even fewer (one-sixth, or 16 percent) said they have a process in place to effectively verify that data has been erased.
In fact, more than one-third (34 percent) “do not know” if their data has been successfully erased. In still other shops, “verifying” that data has been erased involves simply rebooting a system “to see if the data is still there.”
Needless to say, Reinert maintains, this isn’t the most effective of approaches.
“Reports that verify or confirm what the tool and/or service did are critical,” he argues. “Not only do they inform you of what has been wiped, but they should identify the serial number as well as the make and model information of the wiped hard drive, the date and time of when the information was wiped, and a listing of how much information was wiped."”