True story: The CEO of a large defense contractor spills coffee on his laptop while en route to a business meeting. His staff arranges for a local company to recover highly sensitive data from the damaged laptop, data that is critical to a pending business merger. The recovery is a success, but the merger is derailed when confidential data is leaked to the media by a recovery engineer. Could this happen to your business? A January report from the Ponemon Institute suggests that it’s quite likely.
Recovery software is not an option when a drive has suffered physical or electromechanical failure. Outside recovery vendors are the only solution, but they pose a security risk if they aren’t vetted properly. As businesses and government organizations increase their use of data recovery vendors, the potential for data breach during the data recovery process also increases if the vendor’s security protocols are not properly vetted. In its second annual study, “Trends in Security of Data Recovery Operations,” the Ponemon Institute, a privacy and information management research firm, interviewed 769 IT security and support practitioners in US healthcare, financial, and government organizations, most of whom report to CIOs and CISOs. Here are the study highlights. Use of Third-Party Data Recovery Vendors Increasing (as often as once a week) Eighty-five percent of the respondents report their organizations have used or will continue to use a third-party data recovery service provider to recover lost data. This is an increase from 79 percent in the previous study. In fact, 39 percent say they use third parties at least once a week or more.
Loss of Business-Critical Data Drives Use of Data Recovery Vendors: In spite of today’s security jitters, organizations will most often use third-party data recovery vendors when intellectual property, financial information, and customer/patient data files have been lost. IT desktop and help desk support managers typically select data recovery service providers. Mandated to close job tickets fast, speed ranks higher than security in their selection criterion according to the study.
IT Security Often Not Involved in the Data Recovery Vendor Selection Process: Fifty-four percent of respondents confirmed that IT security is typically not involved in the selection or vetting of third-party data recovery providers, which could play a role in IT support’s placement of speed over security. Organizations admit that they need to improve the due diligence for vetting third-party vendors and their data recovery service verification.
Data Breaches on the Rise at Data Recovery Vendors: Of the 87 percent of respondents who experienced a data breach in the past two years, 21 percent say the breach occurred when a drive was in the possession of a data recovery vendor. This is an increase from the 2009 Ponemon study. Many respondents point to the vendor’s lack of security protocols as the cause.
Leading Security Guidelines Not Considered When a Data Recovery Provider Is Selected: According to the study, 54 percent of respondents do not require third-party data recovery vendors to comply with leading security guidelines such National Institute of Standards and Technology (NIST) and International Organization of Standards for Business, Government, and Society (ISO).
Cloud Storage: A New Threat to Data Security During Data Recovery: Organizations need to carefully phrase business associate agreements for cloud storage providers, mandating notification should a data loss occur at the cloud facility and the services of a data recovery vendor be engaged.
Security Policy and Guidelines Needed for Data Recovery Vendor Selection: The majority of IT security and support professionals who participated in the study felt that organizations should have policy and guidelines in place for selecting and using a data recovery service provider. Healthcare organizations, government agencies, and financial organizations are required by law to meet the most stringent data security guidelines and are now requiring third-party data recovery vendors to meet these same guidelines.
Respondents to the Ponemon studies developed a data security checklist for vetting third-party data recovery service providers. Their top ten questions are printed on the reverse side of this article. The full study can be found in the online library of DriveSavers Data Recovery.
Most IT security professionals are focused on protecting the organization’s digital assets from malicious insider threats, malware, or network attacks. Data recovery service providers are not on their radar. It is the desktop support team who typically engages a third-party service provider to recover lost data when a storage device fails and no backup can be found. A recent study by the Ponemon Institute on the security of data recovery operations reveals just how vulnerable your company’s data is at the hands of these vendors and how important it is that you vet them properly. Check out what 769 IT security and support professionals think you should ask before handing over a failed device and your company’s most critical business data.
Top 10 Questions to Ask Your Data Recovery Service Provider (before sending them your failed data-storage device)
- What is your policy for the secure handling of data storage devices?
- Do you conduct background checks on all employees involved in the data recovery process?
- Is encryption used for data files in transit?
- Do you operate a certified ISO-5 (Class 100) cleanroom?
- Do you offer chain-of-custody documentation?
- Do you have a certified secure network?
- Do you have proof of internal IT controls and data security safeguards (e.g., SAS 70 II audit reports)?
- Do you have certification from leading encryption software manufacturers?
- Do you offer certified secure data destruction of unwanted drives and data if required?
- Do you have proof of compliance with all HIPAA data security guidelines?
Michael Hall is the CISO at DriveSavers Data Recovery, where he is responsible for advancing the company’s data security protocols to meet the needs of the government, financial, and healthcare clients it serves.