BusinessToday Previous Editions

BUSINESS TODAY 5 December 2019

Issue link: https://maltatoday.uberflip.com/i/1189756

Contents of this Issue

Navigation

Page 9 of 19

5.12.19 10 INTERVIEW The importance of data erasure Without making data erasure a priority, businesses are running huge risks that could overshadow every good decision they make. Fredrik Forslund, VP, Blancco explains how organisations can create a deeper understanding of the importance of data security What's the difference between data deletion and erasure? A thesaurus may tell you that deletion and erasure are the same, but knowing the difference is vital for businesses that want to stay on the right side of GDPR regulation. Deletion simply frees up hard drive space to be used again, but the data isn't overwritten—this is what happens when we drag a file from our desktop to the Recycling Bin. However, data erasure, or sanitisa- tion, is the process of deliberately, per- manently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. It's not only desktop PCs, laptops and servers that may need to be sanitised—mobile devices, wearables, medical devices and infotainment systems may also store sensitive data. We've been shocked at how many who should know better do not know the difference: When asked, a worrying 56% of senior data centre staff believed that a quick reformat was all that was needed to permanently erase all data. We also revealed other concerns through our own investigation. We found that one in every twenty hard drives for sale on eBay, despite claiming that proper data sanitisation methods had been performed, held sensitive, personally identifiable information. e worst example was that of a drive pur- chased from a software developer with "a high level of government security clearance". It contained scans of family passports and birth certificates, CVs, financial record and university student papers and associated email addresses. How do you know if data has been erased? A common way that businesses deal with this issue is through destruction, many believe that in order to know if data has been erased, they have to de- stroy the equipment. Large mechanical shredders can take hard drives, laptops and smartphones and rip them apart, destroying the data along with the de- vice. is is wasteful and expensive. We're also seeing businesses adopt de- gaussing, essentially using a powerful magnet to remove data from magnetic media. is works with tape and hard disk drives but does nothing to flash drives and increasingly common solid-state drives (SSD). It's crucial to have the data erased by specialist software or hard- ware, that can process both magnetic storage media as well as SSD drives to sanitize the data and make it unrecov- erable. Whatever solution is used, it's impor- tant that it meets relevant data priva- cy regulations and produces a digitally signed certificate of proof of erasure. at way, an audit trail is provided. What effect has regulation had on how businesses approach this issue? Data used to simply be an asset—but now it's also a liability. e act of hold- ing it carries risk for organisations to- day. e General Data Protection Reg- ulation (GDPR) has redefined the way organisations with a foothold in Europe must manage data, and anyone who was blasé about these rules should start pay- ing attention. e honeymoon period is certainly over, with BA and Marri- ott being fined almost £300m in recent months. And the EU isn't alone. e Califor- nia Consumer Privacy Act (CCPA) is designed to protect the privacy rights of Californian consumers, while Brazil and ailand have passed laws that are similar to GDPR, due to come into force in 2020. ese regulations have had a paralys- ing effect on organisations that store data onsite. Faced with faulty or ob- solete drives and other IT equipment, they're simply letting hardware pile up, rather than risk returning it to the manufacturer and breaking the rules—a problem which can be solved with proper data processes. Why isn't erasure a core procedure for all enterprises? ere is an awareness around the de- mands of GDPR, but a lack of knowl- edge around best practice. Organisations know what they need to do, but they don't know how to achieve it. Enterprises, data centres and even mobile operators are in need of educa- tion, and this problem is compounded by being buried by other priorities. Businesses are often focused, under- standably, on ensuring business conti- nuity. Establishing well-planned projects to look at data issues—and to understand why useless hardware is piling up— tends to move down the priority list. Plus, there is often a disconnect within the organisation and it's already chal- lenging to educate the operational team on compliance tasks, when there are many other priorities happening across the business. . . It's best practice to bring these teams together more closely. By making this a shared task with the operations and compliance teams, or- ganisations will create a deeper under- standing of the importance of data se- curity. Over time, the operational team can become data stewards. Do you have any tips on how

Articles in this issue

Archives of this issue

view archives of BusinessToday Previous Editions - BUSINESS TODAY 5 December 2019