Keeping redundant data is hazardous. There are cyber security risks. There are storage costs. In addition, it is environmentally impactful. Organisations need to address the issue of erasing redundant data securely as a priority.
Civil engineers are fond of saying ‘there are no votes in sewers’ as an explanation for why investment in water treatment is rarely a priority. And yet, clean water is essential for all of us.
Is the same true for data sanitisation? After all, there are more glamorous parts of information security – AI-powered threat detection, natural language processing, DLP, to name only a few.
But just as clean water is essential for human health, so clean data is essential for corporate health. And a critical part of getting clean data is ensuring that irrelevant, obsolete or inaccurate data is erased while data that needs to be retained for regulatory reasons, or has a business use, is stored securely.
In June 2019, a dozen senior privacy, security and data professionals met at the Goring Hotel in central London to discuss this crucial issue. At this meeting, sponsored by secure erasure specialists Blancco, several major sectors of the UK economy were represented, including healthcare, financial services, local government and energy, ensuring a very wide-ranging and pragmatic discussion.
Last year the GDPR brought data erasure to the forefront of people’s minds. The much discussed ‘right to be forgotten’ led people to think that all individuals had to do was to demand that their personal data was erased, and it would be. In fact, the reality is more complex, with data erasure being a right only in certain situations. Meanwhile, there are many other circumstances where data must be kept for legal reasons.
But, as delegates pointed out, data removal, through the destruction of IT assets is often simply part of agreed and sensible businesses requirements. Data policies may, and indeed should, specify that unwanted data should not be kept. As was pointed out: ‘If data isn’t an asset, then it’s a risk!’
And that’s true. Data is always at risk of being leaked. So if you don’t need it, it’s better not to keep it.
And sometimes, even data you do need should be erased. One example: when there are duplicate instances of the data, perhaps on a dev server, or a laptop that someone uses away from the office. Duplicated data not only adds to cyber risk by extending the attack surface criminals can access, but it also means there is a possibility of two versions of the same data, with the master copy being out of date.
It’s not just about cyber security, though. Keeping data unnecessarily costs money. One example of this is faulty disk drives. These almost always contain data, some of which may be confidential or sensitive. And many organisations (over 60% of those surveyed by Blancco) are spending, or rather wasting, between $50,000 and $500,000 a year on unnecessarily storing broken drives.
Problems with erasing data
Permanent removal of data is not as simple as deleting a file. All deletion does is remove the signposts to the file: the data itself is almost always retrievable.
Some organisations seem to take a little too much care, though. Keeping data is often strongly encouraged through an organisation’s culture. People feel that historical data may be useful for analysis. They have heard about ‘big data’ and think that data magic might happen one day if they keep that old data.
Another problem is the increasing need to share data with third parties, including cloud service providers. The cloud isn’t a problem in itself. But it brings with it a need to deal with third-party cyber security risk, which is a difficult issue. For instance, data in the cloud might pass though several different systems, making it hard to know where it is and whether it is still encrypted.
Some organisations are required to keep certain data for legal and audit purposes – but this does not apply to all data.
Whether you are working with cloud suppliers, other suppliers or business partners, you need to follow a robust process for managing data:
• Undertake due diligence – is the third-party employing data sanitisation and security best practices through an approved provider, can they provide verification and certification?
• Ensure data is sanitised at key points in the cloud storage life cycle, such as migration, end of contract, etc
• Make sure you are satisfied with the third-party’s approach to security. Don’t just take the company’s word: conduct a site visit, commission an independent report, get references, ask tough questions about how policies are monitored on an ongoing basis
• Identify what data you have that will be shared with them and where it is stored currently
• Identify any redundant data, especially any that is at risk of being shared with the third-party (because when it is shared it leaves your control)
• Erase any redundant data
Data erasure and CSR
The practical challenges surrounding data erasure can be overcome with care and effort. In every case that effort will cost less than the potential damage from a data breach, especially when you consider that the ICO is now taking full advantage of their GDPR-derived ability to fine companies rather more than £500,000.
But data security, and data erasure, isn’t just about money. Data breaches can wreck lives when they result in stolen identities. Organisations need to take this seriously.
And they also need to consider sustainability issues. How should obsolete or broken technology such as servers, mobile phones, drives, laptops and PCs be handled? Should they be destroyed and recycled? Should they be upgraded and reused in house? Should they be given away?
These are all good and sustainable options. But all too often, organisations choose to do nothing. They think that onsite storage is the risk-free option from a data security perspective. (It probably isn’t!) But doing so leads to storage costs and the potential loss of funds (such as RMA refunds, resale potential, etc).
Instead, sustainability around data erasure should be built into CSR policies. Recycling e-waste is an important opportunity. Donating old equipment is a chance to do good and organisations can partner with charities to provide equipment for schools and developing countries.
And if data erasure is built into recycling processes, it is perfectly safe. Up until now there has been a simple equation: the value of redundant equipment is the cost of disposing of it securely. But this is changing and organisations, pressurised by consumers, may well need to take a different and more sustainable approach to dealing with redundant equipment.
Secure data erasure
Secure data erasure is not difficult if a robust process is followed, something that can be achieved by working with a certified vendor who can advise on best practice and build a data policy, then guide you through the data erasure process.
The process starts with a requirement to identify the data you hold, including any redundant data and any instances of duplicated data. This data then needs to be erased securely. And once it has been erased, it should be verified and certified (just in case!).
This type of simple process needs to be defined in a data policy that is regularly reviewed. And someone needs to be responsible for writing that policy and, in turn, for its monitoring. There will be decisions to be made about what data to erase and how to erase it. As with all security policies, accountability should rest at board level. But responsibility will likely rest with different business units.
A robust policy won’t be sufficient on its own. Attention must be paid to human issues. Motivating IT professionals as well as other staff who use and manage data is important. This can involve training and monitoring, but also cultural change so that everyone accepts the importance of keeping data safe and identifying data that is no longer needed.
Delegates agreed that there is no silver bullet for secure data erasure. Technology is important. But so is having the right processes in place. And having people who will operate in accordance with those processes, because everyone shares this issue.
Data sanitisation: it’s not easy. But it is the right thing to do, for many reasons but especially for sustainability and CSR. And for that reason, data erasure needs to move up the corporate agenda and be treated as a strategic issue by boards and organisational leaders.
Blancco is the industry standard in data erasure and mobile device diagnostics. Blancco data erasure solutions provide thousands of organisations with the tools they need to add an additional layer of security to their endpoint security policies through secure erasure of IT assets. All erasures are verified and certified through a tamper-proof audit trail.
Blancco data erasure solutions have been tested, certified, approved and recommended by 15 governing bodies and leading organisations around the world. No other data erasure software can boast this level of compliance with the rigorous requirements set by government agencies, legal authorities and independent testing laboratories.
For more information click here.