Home working has rapidly become the norm rather than the exception for many. Google and Facebook have told staff they can work from home for the rest of 2020. Twitter has gone a step further and told staff they can work from home “forever” if they wish. With many workers reluctant to return to the office even when it is deemed safe to do so, it is a trend that is not going to go away. So much so, that 82 per cent of UK businesses admit they are considering changing future working practices to allow more staff to work from home even after lockdown ends.
With the current pandemic leading to offices lying vacant up and down the land, there are hundreds of thousands of computers and other ICT expensive equipment left unused and gathering dust in offices. With no end in sight to the enforced lockdown for many countries, cash-strapped businesses are looking to recoup some of the capital expenditure and offload this equipment quickly. However, in their rush to do so many are not employing sufficient data erasure techniques.
Data is central to the digitally transformed world in which we all now live. In 2018, the global volume of data was 33 zettabytes (ZB). By 2025, IDC predicts that number will balloon to 175 ZB. As well as untold reputational damage, leaving sensitive data on drives would likely also be in breach of increasingly stringent regulations. Not least of which the General Data Protection Regulation (GDPR) that came into force in 2018, where the financial penalties are significant: a fine of €20m or 4 per cent of annual turnover (whichever is greater). GDPR is just the tip of the iceberg though; each industry has a multitude of its own rules and regulations to adhere to.
Leave no data behind
Keeping sensitive data safe and secure should be a priority for any business. Outrageously however, research we undertook alongside Blancco Technology Group last year showed that 42 per cent of drives being sold online have not been completely purged of the sensitive company data that resides on them. Some of the drives were from a major London university and contained documents with student names and coursework. Another drive we checked was found to be from a software developer with a high level of government security clearance (DV). On it were family birth certificates, scanned copies of family passports, CVs and financial records. Other drives were from a large travel company that had over 5GB of archived internal office email on them. Then there was one from a school that had several pictures from pupil’s school activities, alongside various Microsoft Word and Microsoft Excel files that contained pupils’ names and grades. I was shocked.
Every seller we purchased drives from insisted that proper data sanitisation methods had been performed so that no data was left behind. Yet, for almost half this was not the case. If we are to take sellers at their word, this demonstrates that they are attempting to permanently wipe data. However, many are clearly failing to use a fully effective solution. And in the rush to currently offload IT inventory this number is likely to rise.
Steps for business
Most of the devices analysed had attempted to format the drive to erase the residual data. In modern operating systems, there are typically two options for formatting: a full format and a quick format. Quick format is not an erasure solution because it only removes the index, but a full format attempts to overwrite the disk space visible to the operating system (OS) with zeroes. If everything goes perfectly, then one round of overwriting with zeros will remove data. However, the key issue with formatting is that there is no way to confirm that the data is gone. Verification and certification are key to ensuring data is permanently erased beyond recovery.
Managing data that has reached its expiration date can be a challenge for many. Rather than relying on simple formatting, the best method for securely erasing drives so that zero recoverable data remains on them is the software-based random overwrite method. So how should it be done? These are the steps that any business considering selling or disposing of a drive should always go through:
- Back up any important data to another drive or device
- Securely erase your drive by using data erasure software
- Confirm that the software can perform the right erasure method for your type of drive
- Confirm the total number of overwriting passes that are performed and verified by the erasure software. Each pass signifies a complete overwrite of the drive with all 0s, all 1s, or random data
- Confirm the data is erased with an auditable, tamper-proof certificate
- Double check that all your data was, in fact, erased. If you need proof that the data sanitisation method you’ve chosen is effective, there are data recovery solutions available
Not the time to cut corners
Email, company presentations, confidential documents, bank details of customers – all are created and saved on company devices. If this information gets into the wrong hands it could cause irrefutable harm. The introduction of global data privacy laws has attempted to standardise and update the protection of personal data. Overlooking end-of-life data and the incorrect management of data procedures, including the disposal of computers and IT assets containing personal data can become a serious threat to the security of company information; it also opens the company up to a potential risk for penalties and breaches of privacy legislation, which can cause irreparable damage to the businesses image and reputation.
It is understandable that in these uncertain times businesses are trying to recoup funds by selling off unused tech, but in their rush to do so many are not following basic data erasure procedures. Now is not the time to be cutting corners. Secure data erasure services such as ours ensure that sensitive data is securely wiped from storage media prior to being sold.
Philip Bridge, President, Ontrack