Singapore firms failing to delete data

Singapore firms failing to delete data

Summary: Higher awareness and execution of proper data erasure among larger enterprises, but consumers and small businesses still lack know-how, industry player states, adding IT consumerization putting impetus on improvement.

SHARE:

SINGAPORE--Awareness of proper data sanitization is still low particularly among Singapore users and smaller businesses, and lax attitudes need to change in view of the increasing value of digital assets and IT consumerization, a Kroll Ontrack executive has urged.

"A lot of people don't really know about data erasure," C.K. Lee, country manager for Kroll Ontrack Singapore, told ZDNet Asia in a phone interview. "Everybody's [focused] on data creation; nowadays, data growth is humongous."

Not many bother to understand how to manage data on storage devices they no longer need, he said, citing an exercise Kroll conducted in August.

The data recovery and destruction specialist had obtained five hard disk drives--three from servers and one each from a desktop and laptop--via an online auction site, having bought them off individuals and equipment disposal firms. Despite the fact that the devices were advertised to be completely wiped clean of previously stored information, the Kroll team found data in excess of 300GB.

According to Lee, the exercise was a random experiment to test market awareness of data sanitization. Kroll first carried out the experiment in Australia and found that they were able to retrieve data from some of the devices.

In the case of Singapore, a market known for being IT-savvy, Lee said the team was surprised to achieve a "100 percent hit" as all five devices yielded personal and corporate proprietary information including Microsoft Office documents, applications, databases, e-mail messages and photos.

The executive noted that hard disk owners typically reformat the drives when they want to sell or destroy it, and assume data is no longer there when they cannot see it. However, basic overwriting techniques only remove "the pathways to the data and not the data itself", he said.

"It is essential to remember this when preparing equipment for sale or disposal," he cautioned. "Delete doesn't mean deleted."

Those who wish to erase data securely so that the drives can be reused need to do "proper wiping", which involves the deployment of certified data-erasing software, while those seeking to rid end-of-life storage devices need to degauss or demagnetize the equipment before recycling them, said Lee.

Individuals and companies can also tap professional services, he said, adding that data wiping or degaussing services typically cost S$50 (US$38.97) per device and are cheaper for bulk transactions.

He pointed out that over the last five years, large enterprises and organizations in verticals, such as finance, have shown improved data sanitization awareness and execution due to stricter regulations as well as a desire to avoid lawsuits tied to data breaches. In the financial sector, for example, there are "extreme" cases where organizations would wipe, degauss and "drill a hole" into the storage device before recycling it.

On the other hand, consumers and small and midsize businesses (SMBs) are not as savvy due to issues such as cost and lack of education, he noted.

Corporate policies necessary in BYO era
Lee warned that moving forward corporate entities, regardless of size, need to be more diligent in data security and management including the handling of data erasure.

He added that this was especially critical in the age of IT consumerization and increasing acceptance of personal-owned devices used in the workplace--a trend also known as bring-your-own device.

Enterprises keen to adopt this trend must have policies in place to govern how data should be removed in an appropriate manner. For instance, an employee who intends to switch to a new laptop must declare what he is going to do with the old machine; if it is to be recycled or traded in, the IT department needs to be involved to ensure corporate data is completely removed from the hard drive.

"If [organizations] do allow personal notebooks to be used for [housing] corporate information, when it comes to end of life they definitely need to have a policy in place for the information to be deleted," said Lee. "If not, they are going to get into legal issues."

Topics: Hardware, Apps, CXO, Data Management, Networking, Security, Storage, IT Employment, SMBs

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • An alternative approach altogether for corporate data is to never store it locally on the device but in a secure corporate server and and only view it from the device. There are a number of solutions that do that in an almost transparent way for the end user i.e. the data is not there but the user experience is as if it is. One solution I came across for mobile email is from a company called Letmobile ( www.letmobile.com )
    bobs-a4d8c
  • Hello Vivian,

    Thank you for posting this is a really interesting article, I think you are right in saying that not many people know about data erasure and that people are more interested in data creation and the fact that company information typically doubles every 18 months it is imporant that we keep on top of this.

    Just followed you from my twitter by the way @datalovers

    Thanks

    Darren
    darrenparker-fc754