Today’s enterprises are handling huge volumes of data generated in-house and externally. Customer data, market research, industrial data and other proprietary information are some of the data that require confidentiality. Enterprises also have to contend with the risks to this data coming into unauthorized people. There is also the reality of tighter data privacy laws, especially concerning individuals. Violation of these laws and regulations comes with serious adverse consequences. Data erasure is a key task in implementing a good information security strategy.
What is Data Erasure?
Hitting the delete button acts to clear the storage space occupied by the files on the storage media. It does not remove the data completely. It is easy to recover such data using advanced forensic tools.
Data erasure involves clearing this data totally such that it is unreadable, inaccessible and irrecoverable. Data erasure is a key task in secure data destruction, which is itself a key component in an enterprise’s information security procedures.
There are several ways of data erasure:
In this method, you use software tools to write encrypted senseless data on the data you want to erase. These software tools use a mixture of 1, 0 and special characters in this process. The security of overwriting depends on the number of passes the tool makes over data. Data security agencies in the US and UK seem to agree that three passes are adequate. For more sensitive data, you can use seven passes.
Overwriting has an advantage in that it does not destroy the storage media. It is ideal for equipment marked for repurposing and recycling. It can help keep costs low while maintaining proper data security.
Degaussing is a method of secure data destruction that scrambles the magnetic fields on which data is stored. Older hard disks use magnetic fields. Data destruction services use a degausser. It creates a very strong magnetic field that disrupts these magnetic fields and the data on them. However, degaussing destroys both data and storage media. It is more suited for highly sensitive data.
Implications of Failure to do Data Erasure
Every enterprise must recognize the importance of information security. There are grave implications that arise from failure to destroy data in the expected standards. These are life-threatening risks for an enterprise when this data falls into unauthorized hands in data breaches, hacks, or other forms of data theft.
Data privacy laws have placed more responsibility on the data bearing enterprises to safeguard this data to the highest standards. A good example is the General Data Protection Regulation (GDPR). It requires enterprises handling data from customers in the European Union to protect this data from unauthorized access. It is perhaps the most comprehensive data privacy law in the world, covering how enterprises should handle, store and dispose of customer data.
The GDPR has very heavy fines for violations. It stipulates a fine of €20 million or 4% of an enterprise’s revenues in the past year, whichever is higher. Some of the most notable GDPR fines have been:
- British Airways – €22 million ($26 million)
- Marriott – €20.4 million ($23.8 million)
Both international brands failed to secure their clients’ data, which led to data breaches. Exposure of private customer data like ID numbers and bank information is at the top of GDPR.
The Health Insurance Portability and Accountability Act (HIPAA) in the US is also a notable data privacy law. It has a fine up to $50 million for violations. Singapore has the Personal Data Protection Act 2012 (PDPA) which penalizes SG$1 million, or 10% of an enterprise’s annual turnover in the previous year, whichever is higher. More countries are coming up with data privacy laws. Each law will apply separately where an enterprise violates data privacy of clients from different countries. Such financial penalties can bankrupt a business.
Loss of Customer Confidence
Businesses that suffer data breaches suffer severe loss of customer confidence. Enterprises in sensitive industries like banking and finance have more to lose in brand reputation. Customers are touchy about the exposure of their private lives. Data breaches leaves them feeling vulnerable to slander, gossip and blackmail. Some of them will sue in their personal capacities. A study found that 80% of customers will defect from a business when it suffers a data breach.
Loss of brand reputation can snowball quickly when damaging information goes viral. Disgruntled customers will go to their social media networks to complain about the damage the brand has caused them, which discourages potential customers. Others will drop negative hints by word of mouth.
Loss of Competitive Edge
Loss of proprietary data can wipe out years of research on a product. Unauthorized parties may access research data on redundant equipment and reverse engineer such information. Such loss can be detrimental to an enterprise that relies on intellectual edge to keep ahead of the competition. Enterprises in tech, medicine, and consumer products are vulnerable to such risks. Losing intellectual property can cost an enterprise millions of dollars in forfeited profits from failure to exploit the competitive advantage.
Personal Risks to Employees and Clients
Exposure of private data poses a direct risk to the owners of the data. Criminals can come after a client whose bank balances are exposed, to kidnap or rob them. There is also potential for blackmail when sensitive data such as medical records are exposed.
The biggest threat is identity theft. Felons will usually buy Personally Identifiable Information such as credit card information, SSN, and contact details on the dark web. They will then use this data to impersonate the owner and perform unauthorized transactions. The real owner of the data will suffer an immense loss in form of unauthorized loans and credit card bills.
Total Business Closure
The total effect of data loss by data theft or breach can be the complete closure of an enterprise. Small businesses that have not developed the resilience to withstand brand reputation and damage, or heavy financial penalties will go under. A study on enterprises that suffered data breaches showed that 60% went under within 18 months of suffering the breach.
Data Erasure in Maintaining Information Security
Data erasure is very crucial in an enterprise’s information security strategy. By deploying secure data destruction, an enterprise denies malicious parties an entry point to do more harm. Sophisticated criminals have proven they can get past today’s advanced firewalls. Data erasure ensures they cannot get to what they seek. They cannot take what is not available.
Engaging professional data destruction services is the best approach in executing this important task, for several reasons:
Data erasure tools cost money and also require training to use effectively. A data destruction service has both off-shelf tools and proprietary tools to pull off a competent job. They will also have a degausser which is an expensive unit. The crew has the training to use these tools. You save money and time by letting the professionals handle the job.
Data Destruction Certificate
A data destruction service can issue a certificate of data destruction to show data is totally erased to the expected standards. This certificate is important during data security audits, if the industry requires them.
No enterprise can afford to ignore data erasure considering the risks involved in improper data handling. It should be a regular task in information security, performed by professionals who understand the job. Complete removal of data is the only way of keeping data safe from unauthorized access.