Friday 31 January 2014

Three quarters of UK businesses fail to secure old hard disk data

Toshiba 1TB 2.5in hard drive
Three quarters of UK businesses are failing to adequately wipe data stored on old hard disks when decommissioning them, according to Centrex Services.
Centrex Services managing director Glyn Dodd revealed the alarming figure during an interview with V3. "Our estimates show 45 to 60 percent are aware there is a problem and want to do something about it, but only around 25 percent are actually in the process of applying firm policies," he said.
Dodd said the trend is due to most businesses' reliance on outdated hard disk destruction policies, such as shredding and drilling. "For the last two to three years the normal way of destroying hard drives has been just to put them through shredders or high-pressure devices," he explained.
"We did some research with Kroll and found these methods still leave particles of data. We also tested this by drilling disks – another very popular way of destroying data – and found they also had remnants of data around the drill holes."
Dodd said the use of such techniques is dangerous as the disks can be exploited by criminals to steal company data. "It's not easy to recover, but there is a growing industry for data-recovery specialists around the globe," he noted.
"Some of these people are very professional, some less so. Some are looking to steal people's identities and data. It requires technical skills to get it, but the fact is these destruction techniques do not work and leave behind data. This is a problem."
Dodd added that the practices could also land businesses in hot water with the Information Commissioner's Office (ICO).
"New legislation means the data controller has responsibility for it all the way through the chain of custody and can't end that just by handing it to a third-party recycler. He can't say it wasn't his fault as he handed the hard disk away to someone else," he said.
"He has to be in full control of the data, know where it is and who has it at all times. The ICO is looking at putting legislation to give huge fines in the future. The legislation due for 2014 says five percent of global turnover can be fined for a breach of data security responsibilities."
Dodd argued that companies will need to learn from their US colleagues and implement more robust hard disk management and destruction policies.
"European-approved data destruction hasn't caught up with the US. In the US the only legal way to remove data from magnetic media is electromechanical degaussing – shooting a large electromagnetic pulse through a hard drive at the end of its life cycle," he said.
"But on top of that you need to have a track and trace function showing where the data has been to ensure you have full audit control of where the hard disk is at any time."
Dodd's comments mirror those of the ICO, which has said businesses must take data storage security more seriously if they want to avoid falling foul of the Data Protection Act and paying a fine of up to £500,000.

No comments:

Post a Comment