Singapore firms failing to delete data

Higher awareness and execution of proper data erasure among larger enterprises, but consumers and small businesses still lack know-how, industry player states, adding IT consumerization putting impetus on improvement.
Written by Vivian Yeo, Contributor

SINGAPORE--Awareness of proper data sanitization is still low particularly among Singapore users and smaller businesses, and lax attitudes need to change in view of the increasing value of digital assets and IT consumerization, a Kroll Ontrack executive has urged.

"A lot of people don't really know about data erasure," C.K. Lee, country manager for Kroll Ontrack Singapore, told ZDNet Asia in a phone interview. "Everybody's [focused] on data creation; nowadays, data growth is humongous."

Not many bother to understand how to manage data on storage devices they no longer need, he said, citing an exercise Kroll conducted in August.

The data recovery and destruction specialist had obtained five hard disk drives--three from servers and one each from a desktop and laptop--via an online auction site, having bought them off individuals and equipment disposal firms. Despite the fact that the devices were advertised to be completely wiped clean of previously stored information, the Kroll team found data in excess of 300GB.

According to Lee, the exercise was a random experiment to test market awareness of data sanitization. Kroll first carried out the experiment in Australia and found that they were able to retrieve data from some of the devices.

In the case of Singapore, a market known for being IT-savvy, Lee said the team was surprised to achieve a "100 percent hit" as all five devices yielded personal and corporate proprietary information including Microsoft Office documents, applications, databases, e-mail messages and photos.

The executive noted that hard disk owners typically reformat the drives when they want to sell or destroy it, and assume data is no longer there when they cannot see it. However, basic overwriting techniques only remove "the pathways to the data and not the data itself", he said.

"It is essential to remember this when preparing equipment for sale or disposal," he cautioned. "Delete doesn't mean deleted."

Those who wish to erase data securely so that the drives can be reused need to do "proper wiping", which involves the deployment of certified data-erasing software, while those seeking to rid end-of-life storage devices need to degauss or demagnetize the equipment before recycling them, said Lee.

Individuals and companies can also tap professional services, he said, adding that data wiping or degaussing services typically cost S$50 (US$38.97) per device and are cheaper for bulk transactions.

He pointed out that over the last five years, large enterprises and organizations in verticals, such as finance, have shown improved data sanitization awareness and execution due to stricter regulations as well as a desire to avoid lawsuits tied to data breaches. In the financial sector, for example, there are "extreme" cases where organizations would wipe, degauss and "drill a hole" into the storage device before recycling it.

On the other hand, consumers and small and midsize businesses (SMBs) are not as savvy due to issues such as cost and lack of education, he noted.

Corporate policies necessary in BYO era
Lee warned that moving forward corporate entities, regardless of size, need to be more diligent in data security and management including the handling of data erasure.

He added that this was especially critical in the age of IT consumerization and increasing acceptance of personal-owned devices used in the workplace--a trend also known as bring-your-own device.

Enterprises keen to adopt this trend must have policies in place to govern how data should be removed in an appropriate manner. For instance, an employee who intends to switch to a new laptop must declare what he is going to do with the old machine; if it is to be recycled or traded in, the IT department needs to be involved to ensure corporate data is completely removed from the hard drive.

"If [organizations] do allow personal notebooks to be used for [housing] corporate information, when it comes to end of life they definitely need to have a policy in place for the information to be deleted," said Lee. "If not, they are going to get into legal issues."

Editorial standards