Philip Bridge, President at Ontrack shares his insight on data erasure on Top Business Tech, this time with a focus on the different types of data a business stores, and how you can effectively implement a data erasure policy.
Today, every business from large multinational blue chips to small family run start-ups have data at their core; and at unprecedented levels. In 2018, the global volume of data was thought to be 33 zettabytes (ZB). Yet, IDC predicts that number will balloon five-fold by the middle of the decade.
Whilst corporate data holds great value, it also carries a great risk. The more data your organisation deals with, the greater the risk of its exposure. However, where that data resides is often a mystery. From Word docs to Excel spreadsheets, emails to SQL databases, files can be copied and moved at will. This means keeping a full inventory of your data is almost impossible. It has become a game of hide and seek that IT departments would rather not play.
The need to protect data
Keeping sensitive data safe and secure should be a priority for any business. In recent times, there has been a wealth of increasingly stringent regulations designed to protect data that businesses must adhere to. One such regulation is the General Data Protection Regulation (GDPR) that came into force back in 2018. It gained widespread coverage and is seen by many as the catalyst to why businesses are wanting to assess their data collection and storage systems. And for good reason. The financial penalties of failing to do so with GDPR are significant. Businesses that fall foul of a data breach face a fine of €20m or 4% of annual turnover (whichever is greater).
GDPR is just the tip of the iceberg though. Each industry has a multitude of its own rules and regulations that IT Managers need to be cognisant of and ensure that their business complies to.
The three types of data
Before you find your data, you need to know what you are looking for. Whilst each business is different, the type of data they hold generally falls within three distinct areas. Firstly, there is customer data. This includes personally identifiable information (PII) such as name, address, account numbers, financial data and – depending on the industry – health information such as medical records. Secondly, there is employee data, which is similar but will also include salary and performance review information. Finally, there is corporate data such as intellectual property (IP), research and development data, details on mergers and acquisitions, financial results and other sensitive operational information.
Once you know what types of data you have within your organisation, you should categorise it depending on its confidentiality. This will ensure it is dealt with correctly when no longer needed. The ‘NIST 800-88’ published by the National Institute for Standards and Technology in the US is the go-to document for this. It provides guidelines to how organisations worldwide should effectively sanitise media so that data is irretrievable once the data or data storage device reaches its end-of-life.
The basics of a data erasure policy
Creating a clear data erasure policy is essential, particularly in highly regulated industries. It should cover all the most popular storage technologies – whether that be magnetic or flash-based. Further, it should cover the plethora of ‘end points’ found in a modern organisation such as servers, USB drives, laptops, tablets and other mobile devices.
It is important at this stage to remember that ‘delete’ does not mean the same as ‘erase’. There is a common misconception that simply reformatting the storage medium or hitting the delete button are secure erasure methods, but they rarely are. Data deletion leaves data recoverable, while data erasure is permanent. Confusing the two can lead to organisations leaving themselves vulnerable.
The levels of data of sanitisation outlined within the NIST 800-88 are:
- Clear – which applies to logical techniques to sanitise data for protection against simple non-invasive data recovery techniques, Typically, this applies to rewriting with a new value or using a menu option to reset the device to the factory state.
- Purge – which applies to state-of-the-art physical or logical techniques to render data recovery infeasible.
- Destroy – which as well as rendering data recovery infeasible, results in the subsequent inability to use the media for future storage of data.
Make sure you pick the correct sanitisation method for your data.
Don’t cut corners
In these times, when working from home has become the norm for many, a company’s data is more dispersed and difficult to keep track of than ever before. The need for effective data erasure has never been more important. Unfortunately, the confusion about what constitutes the correct data sanitisation method continues. This is leading to businesses increasing the change of them suffering a data breach or cyber-attack.
Ensuring your business is using a proven data erasure tool will go a long way in safeguarding your critical data so that it doesn’t fall into the wrong hands. Only then can you keep the data of you and your customers safe so that you can obtain certificates of erasure that are audit-ready and meet compliance needs.