Data Recovery Services Pose Data Breach Risk Without Security Guarantees
Organizations often hire an external data recovery service to recover data from a failed drive containing sensitive data without considering the risks of a data breach.
Organizations are not taking security considerations in to account when working with third-party data recovery data services, which puts them at risk of a data breach by unscrupulous providers, according to a recent report from the Ponemon Institute.
In the "Trends in Security of Data Recovery Operations" report released Jan. 11, 87 percent of respondents said they'd experienced a data breach in the past two years and 21 percent of that group admitted the breach occurred while the drive containing the data was with a third-party data recovery service, the Ponemon Institute found.
As organizations increase their use of data recovery vendors, the potential for data breach during the recovery process also increases if the provider's security protocols are not properly vetted, the report found. While 83 percent of the respondents agreed that they should require third-party vendors to ensure that data is securely and permanently destroyed from their systems after the information has been recovered. However, only 9 percent actually do so.
"The consequence of using an unscrupulous data recovery vendor can lead to loss or theft of sensitive and confidential information," said Michael Hall, the CISO at DriveSavers Data Recovery, a data recovery service provider which commissioned the study. "That could mean a major disruption in business, financial loss and in some cases, closure of the business," Hall added.
About 81 percent of the respondents said the speed of recovery was the most important factor in choosing a vendor and 75 percent said the ability to successfully recover data was the most important. Security-related concerns were not a priority for these respondents, according to the survey.
"While the need to recover data is often time sensitive, every effort must be made to ensure that the organization's confidential and sensitive data is protected during the recovery process," Hall said.
About 54 percent of respondents said they do not require their data recovery vendors to comply with security guidelines from the National Institute of Standards and Technology or International Organization of Standards for Business, Government and Society, the report found.
Organizations that have to comply with industry and regulatory requirements such as Gramm-Leach-Bliley Act Data Security Rule, the Data-At-Rest mandate, the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, have to make sure their service providers are also compliant. Respondents admitted they needed to improve their due diligence for vetting third-party vendors and their data recovery certification, the report found.
Organizations are increasingly using data recovery services after experiencing a server crash or disk failure, especially if intellectual property, financial information and customer or patient data files are affected, the survey found. Of the 769 IT security and IT support professionals surveyed, nearly 85 percent of respondents said their companies have used third-party data recovery services and 39 percent said they used such a service at least once a week. The number is growing, as 79 percent of last year's survey participants said their companies use a data recovery service.
For organizations who trust their data to a cloud provider, there is another layer of concern. About 55 percent of the respondents said their cloud provider uses a separate data recovery service in case of a server crash, but a little over half of those respondents said they weren't confident the cloud provider would notify them if a data breach occurred during the recovery process.
Organizations using third-party data recovery services should define security protocols that need to be considered during the vendor selection process and enforce them, the Ponemon Institute recommended. Organizations should vet the service's security credentials as well as ensure their service level agreements with cloud providers include the need for notification if a data recovery vendor is engaged.
The IT security and IT support practitioners in the survey were based in the United States and came from healthcare, financial services and governmental organizations. Most of the respondents reported to CIOs and CISOs in their organization.