Companies prove careless when enlisting data recovery services

Survey finds companies suffer data losses by failing to vet security policies of third-party data recovery partners

Even the most vigilant IT security department could invest countless hours and dollars into defending its company's data troves from infiltration by malicious outsiders, only to hand over a laptop containing highly sensitive information to a seedy third-party data recovery outfit that ends up selling the laptop drive's contents for cash.

This sort of event isn't as uncommon as one might think (or hope), according to a study released by Ponemon Institute titled "Trends in Security of Data Recovery Operations." Among the 87 percent of survey respondents who said their organization suffered a data breach in the past two years, 21 percent said the breach occurred when a drive was in the possession of a third-party data recovery service provider. For the report, commissioned by DriveSavers, Ponemon surveyed 769 IT security and support practitioners at U.S. health care, financial, and government organizations, most of whom report to CIOs and CISOs.

Those figures may not be surprising when you consider how many organizations readily turn to third parties to recover data from storage devices: 85 percent, up from 79 percent in 2009. What's more, 37 percent of respondents said they use multiple third parties, and 39 percent say they use third parties at least once per week.

The appeal of going with a third party is evident: It can be faster and less expensive than doing it in-house. For example, an employee's laptop may die while he or she is on the road. It's easier -- and sometimes necessary -- to use the closest local data-recovery service than to deal with shipping a machine to the home office.

The problem, however, is a lack of proper vetting of third-party data-recovery providers: Survey respondents said that when choosing a service, the most important criteria tended to be speed of service, successful rate of recovery, and overall quality of service. Those are all important factors, but only 28 percent said that data security was a main selection criterion. In general, 30 percent of respondents conceded that their vetting process was merely fair; another 9 percent deemed it poor.

Ponemon offers the following tips for selecting a data recovery vendor:

  • Develop a policy with guidelines for employees to follow when selecting a data recovery service provider
  • Create training and awareness programs for employees to ensure sensitive and confidential data is protected throughout the data recovery process
  • Require your provider to provide proof of internal controls and data security safeguards, such as compliance with SAS 70 Audit Reports
  • Ensure that the providers' engineers are trained and certified in all leading encryption software products and platforms
  • Request proof of chain-of-custody documentation and a certified secure network
  • Check that the partner requires background checks of its employees
  • Ensure that the company does secure and permanent destruction of data, when required
  • Ensure that the company encrypts data files in transit
  • Ask for proof of Certified ISO 5 (Class 100) clean room, in which sealed drive mechanisms can be opened in accordance with all leading hardware and storage device manufacturers' specifications but not void the original warranty

This story, "Companies prove careless when enlisting data recovery services," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.