October. 27, 2014
Wipe Your Data Or End Up In Big Doo-Doo
BLOG VIEW – News of security breaches, hacker attacks, and identity and data thefts has grown at an alarming rate across all industries: financial, healthcare and insurance to name a few. Banking titan JPMorgan Chase and retailer Kmart are just a couple of the latest companies to be hit by hackers. These breaches are the catalyst for preventative measures to protect against future incidents. In addition to reviewing policies and making data security an even higher priority, all companies need to look more closely at how they can destroy data that is no longer needed while maintaining strict compliance requirements.
According to a July report from Databreachtoday.com, "The federal tally of major health data breaches has grown substantially in recent weeks to a total of 1,074 incidents affecting 33.7 million individuals since September 2009. The approximately 30 incidents added to the list over the last month provide examples of the variety of risks that healthcare entities continue to battle."
The shocking news is that most of these data breaches have been due to the theft or loss of laptop and desktop computers. This could easily have been prevented with technology that is currently available and by also taking a more security-centric business focus.
Most people are probably aware that deleted data go into a recycle bin but are still accessible. Even after being deleted, data can be easily recovered using a number of software tools, so it is not safe to just delete confidential, personal, financial, healthcare files and any other information. Deleted data are merely tagged as "deleted" but are not actually deleted. This, unfortunately, exposes an organization to possible non-compliance with data wiping policies, as well as endangering the safety of personal identifiable information in cases where a computer is hacked or stolen. To manage confidentiality of the data at the disposition stage, companies need to use a tool that removes data securely with no remaining traces left behind and still protects user data.
Having a proven data-wiping tool in place eliminates the possibility of an unwanted information leak. While most of a company's systems security is managed at the network and application level, securing laptops and desktops is still a gray area, hence the need for additional security measures at that level.
When companies dispose of old computers/laptops, they often donate, sell or trash them. If the data has not been correctly wiped from the hard drives, there could be a security breach.
Fortunately, there are data-wiping applications that can eliminate breaches in both cases. For old machines, companies can completely erase the hard drive before disposal. In the case of a stolen machine that has data-wiping software, companies can notify the data-wiping software provider who can then remove data securely from the specified drives on the machine when and if it is connected to the Internet.
To improve data wiping processes, companies should do the following:
- Review current practices of data-wiping to ensure they are compliant;
- Remove shared access where possible;
- Set the data/files/folders retention period for each type of data and ensure that after the retention period has ended; data should be securely removed from the devices using a data-wiping application;
- Implement a practice to remove data securely;
- Protect external drive access by setting passwords and removing data securely from storage devices;
- Publish data disposition and wiping guidelines internally; and
- Deploy a secure data-wiping tool for each user.
Companies can ensure they are compliant with state and federal data-wiping laws by following simple risk management strategies that will allow them to avoid the risk of data breaches. To be successful, those strategies must include an enterprise-wide approach to data protection and destruction. Process, people and technology can negate the power of thieves.
Ramesh Devare is chief operating officer for IndiSoft, a provider of software to the financial services industry.