One out of two businesses do not erase sensitive data: survey

According to a recent global survey on data wiping practices, Kroll Ontrack found less than half of businesses regularly deploy a method of erasing sensitive data from old computers and hard drives.

Of the 49 percent of businesses that are systematically deploying a data eraser method, 75 percent do not delete data securely, leaving most organisations highly susceptible to data breaches, which plague businesses at least once a year according to the 2010 Kroll Ontrack Annual ESI Trends Survey and cost an organization an average of $6.75 million per breach according to the 2009 Ponemon Cost of Data Breach Study.

“Three-fourths of businesses are deleting files, reformatting or destroying drives, or ‘do not know’ how they are erasing sensitive data. Deleting files from a hard drive only marks the files to be rewritten, which may never occur.

"Furthermore, reformatting the drive only removes the entries in the index or table of contents that point to the data. And, physically destroying a drive is not a guaranteed method of protection, as Kroll Ontrack has been recovering data from severely damaged drives, such as the Columbia space shuttle, for more than 25 years. None of these methods ensure that sensitive information is no longer on the drive,” said Jim Reinert, vice president of product development, Kroll Ontrack.

“A certified data wiping software, such as Ontrack Eraser, that overwrites all the data on the hard drive or a degausser, which wipes the data using a strong magnetic force rendering the device no longer usable, are the two safest methods to ensure private data is wiped and does not fall into the wrong hands.”

Surveying more than 1,500 participants from 12 countries across North America, Europe and Asia Pacific regarding their data wiping practices also revealed that four in 10 businesses gave away their used hard drive to another individual and 22 percent do not know what happened to their old computer. In total, more than 60 percent of all old business computers are fully intact with proprietary business data in the second hand market.

“In addition to helping companies achieve compliance with laws and regulations regarding data retention and privacy, data wiping is fundamental to reducing the risk of security breaches,” added Reinert. “It is a must – regardless of the size of the organization – and needs to be incorporated into overall data security and business continuity plans.”

Only 19 percent of businesses deploy data eraser software and fewer, 6 percent, use a degausser to erase media. When asked if and how businesses verify their data has been deleted, very few (16 percent) reported relying on a product or service report to confirm all of their data had been wiped.

Aside from businesses that “do not know” (34 percent) how they ensure their data has been erased from an old device, the next most popular response, reported by 22 percent of businesses, was “reboot the drive” to see if the data is still there.

“Reports that verify or confirm what the tool and/or service did are critical,” concluded Reinert. “Not only do they inform you of what has been wiped, but they should identify the serial number as well as the make and model information of the wiped hard drive, the date and time of when the information was wiped, and a listing of how much information was wiped.”