Data Disposal : Your sensitive data may be at risk !
Santosh Kamane
Cybersecurity and Data Privacy Leader | CISO Coach | Entrepreneur | PECB Certified ISO 42001 Trainer and advisor | Virtual CISO | GRC | DPO as a Service | Empowering Future Cybersecurity Professionals
Data is the oxygen for digital world.
Technology has evolved immensely in last 20 odd years. From large mainframes to desktop computers, laptops to smartphones, data centers to cloud, tablets to smart watches, google search to ChatGPT , we have really come a long way. These technological advances are now difficult to catch up with due to its rapid evolution.
However one thing that has remained backbone of entire digital world is “Data”. Would the technology still be effective if there was no data? Without data, these technologies would not address any business problems. The definition of data per Wikipedia is “In the pursuit of knowledge, data is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted” . Further, when you have a meaningful or valuable data, it can be labeled as “Information”. This clears the reason why information (or data) security is so important today. Your personally identifiable information, piece of source code, design documents, trade secrets are valuable and can have a impact if stolen or lost. The impact could be financial impact, reputational impact, legal or regulatory impact and so on.
Data LifeCycle
Like every process, data has its own lifecycle. Data is created, acquired, collected in many ways by organizations. Without data, no business process would take place. If we do not protect this data at each lifecycle, it may lead to severe risks. Above picture by CyberFIT covers the various data lifecycle stages. This broadly applies to all organizations across all sectors.
For example
Data Collection — The more and unnecessary data you bring in, you carry more risks. Today most privacy regulations mandate minimum, necessary data collection for data processing.
Data Sharing — If you share your sensitive data without appropriate controls such as encryption, authentication etc., can you really assure its integrity and confidentiality?
Data disposal — Of all the data lifecycle stages, data disposal is the one where organizations tend to either adopt poor or weak practices. Lets cover this a little more .
No Data Disposal — Risks? Too many !!
When you delete or format your data, it hides it from operating system’s view. Though it gives perception that data is deleted, it still can be recovered. Today there are advanced data recovery tools who accomplish this purpose. The key due to inadequate data disposal are,
Data Disposal — How is it managed today?
For confidential paper information, today we use a shredder as and when needed. It shreds paper into smaller pieces so the information can’t be reconstructed again. This not only protects information from leakage, but assures you piece of mind.
领英推荐
Does the same risk apply to digital or electronic data? Yes.
Today most of the organizations are not following secure data disposal practices. So what is the risk here ? Lets understand.
a) Third party engagement — Cybersecurity is heading towards zero trust philosophy today. Can you handover your hard-drives with sensitive data to third parties (without due diligence) to either degauss or destroy ? Morgan Stanley was asked to pay 35M as a fine due to data leakage. Like mentioned earlier in the article, the risk is too high when data is stolen or leaked/breached.
b) E-waste — When you physically destroy your assets, aren’t you essentially contributing to e-waste? Can these assets not be repurposed if data wipeout is assured?
c) Destruction before End Of Life — The hardware assets have a price tag and life. If you destroy hard-drive after use of 6 months as it holds sensitive data, can you convince your CFO on the ROI?
Data Disposal — How can it be handled?
Final words
In a nutshell, today data is scattered everywhere in the organized. It needs to be protected during all stages and controls can’t be relaxed ,especially during data disposal stage. Be the organization that provides assurance to customers that data is safe until its disposal. Dont just delete, WipeOut
Referral links
To know more about electronic shredder [email protected]
Helping companies architect privacy and data security
1 年In my pre-cybersecurity and privacy days, I was blissfully unaware of risks in formatting of disk and simple delete procedures. ?? In a time where cyber attackers' primary rationale is stealing the data, mechanisms such as securely disposing off data are key in eliminating the security risk. And it also helps with compliance. Thanks for sharing Santosh Kamane
Data erasure is definitely a key measure in safeguarding sensitive information. Thanks for sharing your insights on a holistic, rather than piecemeal, approach to data protection!
Cyber Security Professional.
1 年That is a really good piece, thank you! ????
CIPM | ISO 27001 LA | CCSK | CEH | CompTIA Security +
1 年Truly amazing and insightful ???? thanks for sharing ????