How to safeguard your critical data

Today, every business has data at its core. In fact, the data mountain has never been bigger

 In 2018, the global volume of data was thought to be 33 zettabytes (ZB). Yet, IDC predicts this is likely to rise to 175 ZB by the middle of the decade.  

Whilst corporate data holds great value, it also carries great risk. Unfortunately, in these times of increasing home working where this data resides is often a mystery. From Word docs to Excel spreadsheets, emails to SQL databases, files can be copied and moved at will. Even the most organised business would find keeping a full inventory of their data impossible. It has become a game of hide and seek that IT departments would rather not play. 

Keeping sensitive data safe and secure should be a priority for all businesses, as the financial penalties of not doing so can be crippling. The introduction of the General Data Protection Regulation (GDPR) was brought in to protect sensitive data. With GDPR, businesses that fall foul of a data breach face a fine of €20m or 4% of annual turnover (whichever is greater). GDPR is just the tip of the iceberg though. Each industry has a multitude of its own rules and regulations that IT Managers need to be cognisant of and ensure that their business complies to. 

Particularly in highly regulated industries such as financial services and healthcare, creating a clear data erasure policy is essential. It should be fit for purpose and for the modern age. You should ensure that it covers all of the most popular storage technologies and the plethora of ‘end points’ – both fixed and mobile – found in a modern organisation. 

It is important to remember that ‘delete’ does not mean the same as ‘erase’. There is a common misconception that simply reformatting the storage medium or hitting the delete button are secure erasure methods. They rarely are. Data deletion leaves data recoverable, whereas data erasure is permanent. Confusing the two can lead to organisations leaving themselves vulnerable.  

Before you search for the data that needs to be purged, you need to know what you are looking for. Whilst each business is different, the type of data they hold generally falls within three distinct areas: 

  • Customer data – that includes personally identifiable information (PII) such as name, address, account numbers, financial data and – depending on the industry – health information such as medical records.  
  • Employee data – which is similar but will also include salary and performance review information.  
  • Corporate data – such as intellectual property (IP), research and development data, details on mergers and acquisitions, financial results and other sensitive operational information. 

Once you know what types of data you have within your organisation, you should categorise it depending on its confidentiality. This will ensure it is dealt with correctly when no longer needed. The ‘NIST 800-88’ published by the National Institute for Standards and Technology in the US is the go-to document for this. It provides guidelines to how organisations worldwide should effectively sanitise media so that data is irretrievable once the data or data storage device reaches its end-of-life. 

The levels of data of sanitisation outlined within the NIST 800-88 are: 

  • Clear – which applies to logical techniques to sanitise data for protection against simple non-invasive data recovery techniques, Typically, this applies to rewriting with a new value or using a menu option to reset the device to the factory state. 
  • Purge – which applies to state-of-the-art physical or logical techniques to render data recovery infeasible. 
  • Destroy – which as well as rendering data recovery infeasible, results in the subsequent inability to use the media for future storage of data. 

Make sure you pick the correct sanitisation method for your data. 

Working from home has become the new normal for us all. This has led to a company’s data becoming more dispersed than ever before. The need for effective data erasure has never been more important. Unfortunately, the confusion about what constitutes the correct data sanitisation method continues.  

Ensuring your business is using a proven data erasure tool will go a long way in safeguarding your critical data so that it doesn’t fall into the wrong hands. Only then can you keep the data of you and your customers safe.  

About the Author

Philip Bridge is President at Ontrack. Ontrack provides market leading data recovery for any type of media – hard drives, SSD, server, RAID, virtual, cloud, mobile, tape, NAS/SAN/DAS, laptop, desktop computers, and Apple devices. At the core, we understand that data is the lifeblood of your business.

Featured image: ©Peshkov