Topics In Demand
Notification
New

No notification found.

Data Disposal : Your sensitive data is at high RISK !
Data Disposal : Your sensitive data is at high RISK !

310

1

Data is the oxygen for digital world.

Technology has evolved immensely in last 20 odd years. From large mainframes to desktop computers, laptops to smartphones, data centers to cloud, tablets to smart watches, google search to ChatGPT , we have really come a long way. These technological advances are now difficult to catch up with due to its rapid evolution.

However one thing that has remained backbone of entire digital world is “Data”. Would the technology still be effective if there was no data? Without data, these technologies would not address any business problems. The definition of data per Wikipedia is “In the pursuit of knowledge, data is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted” . Further, when you have a meaningful or valuable data, it can be labeled as “Information”. This clears the reason why information (or data) security is so important today.

The hardware aspect of technology has a monetary value. If lost, stolen or damaged, risks can be quantified in numbers. The software aspect of technology is however not so easy to value in numbers. Your personally identifiable information, piece of source code, design documents, trade secrets are valuable and can have a impact if stolen or lost. The impact could be financial impact, reputational impact, legal or regulatory impact and so on.

Does the same risk apply to digital or electronic data? Yes.

Today most of the organizations are not following secure data disposal practices. So what is the risk here ? Lets understand.

  1. Delete or Format — If delete or format is your primary and only disposal method, your data can be accessed, stolen, misused by cybercriminals. This data could be your customer files, intellectual property, design documents, trade secrets and so on.
  2. Physically Destroying or degaussing hard-drives — Physical destruction may be a better control but can it be your primary means of data destruction? Its been a traditional idea to destroy the physical asset that holds the information, so you leave no scope for recovery. However two challenges here .

a) Third party engagement — Cybersecurity is heading towards zero trust philosophy today. Can you handover your hard-drives with sensitive data to third parties (without due diligence) to either degauss or destroy ? Morgan Stanley was asked to pay 35M as a fine due to data leakage. Like mentioned earlier in the article, the risk is too high when data is stolen or leaked/breached.

 

Data Lifecycle 

Like every process, data has its own lifecycle. Data is created, acquired, collected in many ways by organizations. Without data, no business process would take place. If we do not protect this data at each lifecycle, it may lead to severe risks. Above picture by CyberFIT covers the various data lifecycle stages. This broadly applies to all organizations across all sectors.

For example

Data Collection — The more and unnecessary data you bring in, you carry more risks. Today most privacy regulations mandate minimum, necessary data collection for data processing.

Data Sharing — If you share your sensitive data without appropriate controls such as encryption, authentication etc., can you really assure its integrity and confidentiality?

Data disposal — Of all the data lifecycle stages, data disposal is the one where organizations tend to either adopt poor or weak practices. Lets cover this a little more .

No Data Disposal — Risks? too many.

When you delete or format your data, it hides it from operating system’s view. Though it gives perception that data is deleted, it still can be recovered. Today there are advanced data recovery tools who accomplish this purpose. The key due to inadequate data disposal are,

  1. Your data is exposed to malicious actors or cybercriminals. Your data could be PII, customer files, IP , trade secrets and so on
  2. Non compliance to information security standards
  3. Non adhering to privacy regulations requirements - Right to erasure
  4. Regulatory penalties
  5. Last but not the least, and most importantly, reputational risk. Can we afford to lose consumer trust build over years due to security incident that could have been easily prevented at extremely low cost?

Data Disposal — How is it managed today?

For confidential paper information, today we use a shredder as and when needed. It shreds paper into smaller pieces so the information can’t be reconstructed again. This not only protects information from leakage, but assures you piece of mind.

 

Does the same risk apply to digital or electronic data? Yes.

Today most of the organizations are not following secure data disposal practices. So what is the risk here ? Lets understand.

  1. Delete or Format — If delete or format is your primary and only disposal method, your data can be accessed, stolen, misused by cybercriminals. This data could be your customer files, intellectual property, design documents, trade secrets and so on.
  2. Physically Destroying or degaussing hard-drives — Physical destruction may be a better control but can it be your primary means of data destruction? Its been a traditional idea to destroy the physical asset that holds the information, so you leave no scope for recovery. However two challenges here .

a) Third party engagement — Cybersecurity is heading towards zero trust philosophy today. Can you handover your hard-drives with sensitive data to third parties (without due diligence) to either degauss or destroy ? Morgan Stanley was asked to pay 35M as a fine due to data leakage. Like mentioned earlier in the article, the risk is too high when data is stolen or leaked/breached.

 

b) E-waste — When you physically destroy your assets, aren’t you essentially contributing to e-waste? Can these assets not be repurposed if data wipeout is assured?

c) Destruction before End Of Life — The hardware assets have a price tag and life. If you destroy hard-drive after use of 6 months as it holds sensitive data, can you convince your CFO on the ROI?

 

Final words

In a nutshell, today data is scattered everywhere in the organized. It needs to be protected during all stages and controls can’t be relaxed ,especially during data disposal stage. Be the organization that provides assurance to customers that data is safe until its disposal.

Referral links

https://www.linkedin.com/company/cyberfitsolutions/

 


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


CEO and Co-founder, CyberFIT solutions | CISO | Risk transformation and Business resilience | Privacy | Leader

© Copyright nasscom. All Rights Reserved.