According to a number of sites covering the issue, the Ponemon Institute has released a survey showing that 21% of information security breaches occur when corporate data is being held by a data recovery service provider. This is one of those areas where disk encryption software cannot help because, well, one’s voluntary allowed a third party to access the data.
I mean, how else is one supposed to recover data?
769 IT Practitioners Surveyed
Ponemon surveyed 769 CIOs and CISOs, and of the 87% who responded as having experienced a breach in the past couple of years, 21% said a breach occurred “when a drive was in the possession of a third-party data recovery service provider.”
Disk encryption was created for those instances where a third party has your device: namely, when it’s stolen (yeah, most people wouldn’t quite call thieves a “third party.” But if fits the definition). However, in this case, the third party is doing something on behalf of the data owner. And, generally, a third party like a data recovery service provider requires access to the hard disk.
Otherwise, how’s the service going to know if it’s actually doings its job correctly or merely worsening the problem?
In such situations, the only solution is to use a data recovery service provider that’s been vetted. As inforworld.com points out, though, this is not always possible: what if an employee’s computer breaks down while on the road?
Plus, even if a company is vetted, it doesn’t necessarily mean that the employees will act faithfully according to the company’s policies. For example, I remember reading how the geeks at Geek Squad would copy content from computers that came in for servicing. This certainly is not company policy.
Perhaps I’m jumping the gun here, though, as most companies are not particularly interested in security:
About 81 percent of the respondents said the speed of recovery was the most important factor in choosing a vendor and 75 percent said the ability to successfully recover data was the most important. Security-related concerns were not a priority for these respondents, according to the survey. [eweek.com]
Seeing how 18% of data breaches can be traced back to a data recovery vendor, perhaps the placement of data security in the vendor factor totem pole ought to be thought over.
Related Articles and Sites: