Getting Data Security in Perspective
So, how much time and effort should a company put into their data erasure process, especially when balanced against the chances of the data being stolen?
The perceived wisdom is that the more wipes – or data erasure passes – you make on a storage device, the less chance that the data can be recovered.
However, this additional effort also translates into an increased cost associated with the additional time and resources that will be needed.
Interestingly, an article on Data Remanence on Wikipedia also makes the point that the long time required for multiple wipes "has created a situation where many organisations ignore the issue all together – resulting in data leaks and loss”.
Also, a company cannot give an absolute guarantee that a disk or its media may not be retrieved at some point in the future, by use of an as yet undiscovered technique that will allow data to be recovered.
In order to give an absolute guarantee would be to melt the media and watch the disk in question being completely and utterly destroyed.
But maybe we need to think of the larger question of balancing security with usability. Of course, security has to be effective, but to all intents and purposes, practicable.
The Pragmatic Approach
Speaking as someone who was involved with the very first ATMs or cash dispensers, the question then was, what is the ideal length of a security PIN for the card holder?
- Too short and it becomes guessable
- Too long and people can’t remember it so they compromise their security by writing it down.
- Just right and it becomes usable, but with no absolute guarantee (however better than ignoring the issue and not having any security in place at all)
In other words is the topic of data erasure similar to PIN length? Surely better to make sure that the storage devices in your PCs or laptops are cleaned in a timely fashion - even using a basic, single ‘all-zeros’ pass - will be better than doing nothing at all.
Companies need to take reasonable and timely steps to protect data contained on storage devices from being retrieved.
To do nothing is likely to leave an individual or the establishment they represent, at best open to criticism, or worse still subject to legal action if deemed negligent.
And of course, all businesses will now need to abide by the replacement for the Data Protection Act – the GDPR or General Data Protection Regulations – which came into force in May 2018.
This requires companies amongst other things, to not only prevent accidental loss or unauthorised access of personal data, but to document processes in advance to show how to prevent such from happening.
The time for prevarication and procrastination is over. Companies must make up their minds to have a documented process for cleaning data on ‘end-of-life’ storage devices.
Let us lessen the hardship of adhering to such regulations, and be your data cleansing partners. Provide us with a list of when equipment entered your asset register so that we can let you know when such equipment is approaching end of life, then data can be archived away prior to us removing and securely wiping such devices.