There is so much information produced, stored and exchanged across the digital universe every day. And we live such digital-first lives – whether it’s always clicking and swiping away on our smartphones and tablets, having multiple computers and laptops, upgrading our hard drives to store even more information or buying the latest wearable not because we need it, but because we just want the newest shiny thing. Now consider this: 35 percent of consumers trade in, sell or donate their mobile devices every two to three years – and this is just mobile, what about all of the other connected devices we can’t live without? Forbes estimated that 544 million HDD units were shipped in 2014 – that’s a lot of data being stored on these devices.
So, if the statistics are right, what’s happening to all of the data on those 68 million plus recycled devices? Are businesses and consumers taking responsibility for the information contained in those used devices once they leave their desks and pockets? Are they relying on quick fixes to wipe data? Do they even know the difference between quick format, reformatting and random overwriting of data? It’s pretty scary when you think about it. And it falls in line with what we found in our data recovery study, where we purchased over 120 used hard drives and mobile devices from Amazon, eBay and Gazelle. The results were astounding – nearly half (48 percent) of the used hard drives still held significant volumes of data on them and 40 percent of the used mobile devices contained leftover data from the original owners, including thousands of emails, text/SMS messages, instant messages, call logs, photos and videos.
To highlight the danger of failing to properly erase drives here are six of the biggest security implications of leftover data on used electronics – including hard drives and mobile devices.
#1: Just because you can’t see the data doesn’t mean it’s not there.
There seems to be a common misconception that if you can’t see or find the data, then it must be gone. Right? Wrong. The truth is ‘deleted’ files don’t go anywhere. When you delete files from your hard drive, the file’s data is still there. In reality, you’re just deleting the pointer to the data. Imagine your hard drive is like a library. To find the book you want, you get a reference number from the library’s database – and that leads you to the section of the library where the book can be physically found. As the library user, you then remove the book from the library’s database and pointers to its location no longer exist. But, and this is important, the book still remains in the library. It now becomes a case of using more sophisticated methods to locate it. This same analogy can be applied to deleting files.
So how can you make sure that both the data and the pointers to the data are permanently removed from your hard drive? Secure data erasure. 100% certified secure erasure of your hard drive is the only way you can rest assured that your data is truly destroyed.
#2: There are three ways to format hard drives – and none are fail-proof.
A lot of hard drives pass through businesses every day. But at some point or another, it will be time to get rid of these hard drives. Whether they’ve hit their end of life and are no longer reusable, or they’re resold as ‘refurbished’ via online ecommerce sites like Amazon or eBay – the sad fact is that many businesses today still use very basic methods of wiping data clean.
That’s a big problem because there’s a high chance that data is still left on them once their new owner begins to use them. I’m not just using conjecture here. According to a study by BT and SIMS Recycling Solutions, 34 percent of discarded hard drives still contain confidential data. So it comes as no real surprise when we hear stories of data breaches in the news – much like the story of how the details of one million bank customers were found on a computer sold on eBay.
There are three types of hard drive formatting – low-level, quick and full – all of which work in slightly different ways. Low-level formatting involves pattern filling the drive at the lowest level to reset it back to the factory settings. This is a time-consuming process and one that is rarely used. More commonly used are quick and full formatting. Quick format recreates the metadata area of the drive. So for Windows, as an example, it will create a new MFT, log and bitmap area on the drive, but will not overwrite any other data. Meanwhile, full formatting scans all sectors, including the bad ones and pattern fills the active blocks. It also includes a sector remap function. All of these formatting methods give the appearance that data has been removed once and for all. But as the saying goes, looks can be deceiving and the data cannot be totally expunged through these wiping methods.
#3: Policies and procedures are just as important as the wiping method itself.
However small or large a business might be, the risk of a data breach is just as great and every business should have written data security policies and procedures in place. What are the main things businesses need to consider in their policy?
Encryption or tight security rights are a must. This determines the levels of control – which employees are granted access to specific files. And let’s not forget the all-important BYOD. Your BYOD policies need to identify where all of your corporate and customer data are being stored, which employees have access to which types of data, and most importantly, what happens to your IT assets (including hard drives, computers/laptops, smartphones, tablets, flash media drives, etc.) when an employee leaves the company. And I can’t stress this enough – a specific individual needs to be placed in charge – and held accountable – to make sure everyone is sticking to these procedures because there’s no point in having them if they’re being ignored.
#4: When your equipment is no longer usable, you can’t do it alone. Hire an IT asset recycler.
A lot of businesses hire external disposal or recycling agencies to help them get rid of IT assets. This is great practice and one that can save businesses a great amount of time, money and internal resources. But before you join forces with an IT asset recycler, here’s some questions to ask.
- What processes does the recycler have in place to verify how your IT assets will be handled?
- Can they guarantee that all types and traces of data have been erased forever and will never resurface?
- Do they have any physical proof of this guarantee?
- What’s the lead-time from when hard drives leave the premises and then are erased?
All of these points have to be confirmed and agreed to by both sides in a contractual agreement. Finally and most importantly, how do you verify your hard drives have been fully and irrevocably erased? Now here’s something many businesses still fail – or simply forget – to do. Audit your IT recycler’s processes regularly and have a data recovery specialist do spot checks of erased drives. Don’t ever take anyone’s word for it. Otherwise, you’re just putting your company, your employees and your customers at risk unnecessarily.
#5: Just because equipment stays inside a company doesn’t mean the risks aren’t as grave.
Does your organization pass on devices from employee to employee? Chances are that it happens pretty often. But what happens to the data left on the device from the previous employee? The hard drive may have been formatted using one of the three methods I described earlier, but in truth, the data is still there.
Some IT professionals in a company might argue this isn’t a big deal because the device is still staying within the company. Sure it’s staying in the company, but let’s not forget how easy and common it is for these hand-held devices to be lost or stolen. According to Consumer Reports, about 3.1 million American consumers were victims of smartphone theft in 2013. Now add to that figures from EE, which indicate almost 10 million smartphones, tablets and laptops have been lost by employees across Britain. These combined numbers paint a pretty dismal picture. Failing to erase data before and after devices change hands between employees is just bad business.
Then comes the question – should employees be given permission to access all types of company data? A laptop containing confidential data from an employee working in the human resources department, which is then formatted and passed on to another employee on the marketing team, will still contain that original information. But should the second marketing employee be privy to seeing sensitive, confidential HR files and documents? I’m going to say, pretty definitively, that it’s not very likely. Just think about what could happen if that second marketing employee decided to upload one of the HR department’s files and tweet about it on Twitter? A journalist could see it and that could lead to a firestorm of negative publicity. Or a competitor could see it and manipulate the information to undercut their reputation. Companies are highly protective of their intellectual property and confidentiality for a reason – so why would you do anything that could jeopardize that?
#6: The buck stops with you to protect your data.
Whether you’re a business or an employee working for a multinational retailer or financial institution, the buck stops with you. It’s up to you to protect the data on your hard drive. We see so many news stories and studies uncovering security flaws and vulnerabilities in specific operating systems. But the truth is that every OS has its flaws; it’s how you protect yourself that matters.
The larger and more established manufacturers have the most advanced security capabilities installed on their devices. But if the user doesn’t take full advantage of these, they’re increasing their risk. If businesses take the time to educate employees on the simple steps that could safeguard them against data breaches and online fraud, you can bet we’d see things change for the better. Of course, there are always exceptions and not every device is 100 percent safe. It’s all about taking as many steps as possible to protect our data.