A few years ago, a minor data breach may not have been considered a significant event in the life of an organisation. Today, however, even the smallest breaches open companies up to major public relations and legal nightmares, thus disproving the old adage that "any publicity is good publicity".
Because of the heightened sensitivity of personal data, companies must take significant steps to protect this kind of information. There are a number of items related to your various storage systems that you should keep in mind to help protect your company's data — and image.
Make sure your data stays your data by taking appropriate disposal steps with your storage devices and media, including:
Misconceptions abound
Even with the spectre of data loss looming in the news, some companies still don’t take steps to delete data properly from computers that have been leased or are at their end of life. Companies are relying on outdated methods of data wiping that have been superseded by new technology.
For example, there was a time when IT staffers were told simply to format hard drives before sending a computer away at the end of its life. However, formatting alone became insufficient due to the widespread availability of cheap data recovery utilities. The same holds true for those that simply remove partitions. While this operation will make the data appear to vanish, the information is actually very, very recoverable.
In theory (and sometimes in practice), demagnetisers zap (degauss) a drive with a powerful magnetic field, thereby making data recovery very difficult. However, notice that I did not say impossible. Even these devices are not sufficient to protect a company when it comes to data compliance regulations. In many cases, a single degaussing won't do the trick.
Before I continue to discuss what your options are for securing your data, I should mention that there are many people out there who do not feel that the data on their computers warrants any special consideration. This is particularly true of home computer users, or computer users…
…in small companies. This perceived lack of importance could not be any further from the truth. At your home or small business computer, do you have finance software or do you prepare payroll? Do you keep employee information in an Excel spreadsheet? From a PR and identity theft perspective, you have as much to lose as large companies.
Better data-zapping options
There are two really good ways to permanently delete your data… one of them can even be fun and provide a stress outlet for a bad day!
The first method is overwriting the contents of the media. Sometimes referred to as "wiping" a drive, this method overwrites every area of a disk multiple times with random information, eventually making data unrecoverable. There are dozens (if not hundreds) of products on the market that perform this task. The key to finding an effective solution is to look for products that conform to DoD 5220.22-M or Gutmann specifications for file deletion. The DoD (Department of Defense) standard calls for a minimum of three overwrites while the Gutmann version calls for a minimum of 35 overwrites. While the DoD specifications are okay, many consider them to be too weak, particularly when compared to the Gutmann method. For the best protection, get a product that provides both options.
The second method is physical destruction of media. This can be as simple as putting the hard drive in a vice and hammering the stuffing out of it. Or, you can make use of one of the many hard drive shredding services. These services usually charge some kind of fee; for example, at my college, the local vendor charges $10 per drive — but after the hard drive, literally, goes through a shredder, you can generally rest safe knowing that the data is not going to be very easily recovered!
Make sound policies for all of your devices
For other kinds of storage devices, such as thumb drives and iPods, depending on the sensitivity of data in your organisation, you should develop policies pertaining to the use of these kinds of devices. Obviously, if you have a savvy user connecting his iPod to his work system and downloading all kinds of customer information to work on at home, you have a problem. Even though the user may have a perfectly innocent reason to want to work on the information at home, what happens to your company if that user loses his iPod on the train?
Summary
This is by no means intended to be an exhaustive list of all of the possible ways to protect your company's data. Instead, I've provided an overview of the problem and some possible solutions.
Copyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.