“While the need to recover data is often time sensitive, every effort must be made to ensure that the organization’s confidential and sensitive data is protected during the recovery process,” said Michael Hall, CISO at DriveSavers Data Recovery. “The consequence of using an unscrupulous data recovery vendor can lead to loss or theft of sensitive and confidential information. That could mean a major disruption in business, financial loss and in some cases, closure of the business.”
Ponemon interviewed 769 IT security and IT support practitioners in US healthcare, financial and government organizations, most of who report to CIOs and CISOs. Here are the study highlights:
Increased Use of Third-Party Data Recovery Vendors (as often as once a week) – Eighty-five percent of the respondents report their organizations have used or will continue to use a third-party data recovery service provider to recover lost data. This is an increase from 79 percent in the previous study. In fact, 39 percent say they use third parties at least once each week or more.
Loss of Business-critical Data Drives Use of Data Recovery Vendors – Organizations most often use third party data recovery vendors when intellectual property, financial information and customer/patient data files have been lost. IT desktop and helpdesk support managers typically select data recovery service providers. Mandated to close job tickets fast, speed ranks higher than security in their selection criterion according to the study.
IT Security Often Excluded from Data Recovery Vendor Selection Process – Fifty-four percent of respondents confirmed that IT security is excluded from selecting third-party data recovery providers, which could play a role in IT support’s placement of speed over security. Organizations admit that they need to improve their due diligence for vetting third-party vendors and their data recovery certification.
Data Breaches on the Rise at Data Recovery Vendors – Of the 87 percent of respondents who experienced a data breach in the past two years, 21 percent say the breach occurred when a drive was in the possession of a data recovery vendor. This is an increase from the previous Ponemon study. Many respondents who experienced a data breach during the data recovery process point to the vendor’s lack of security protocols.
Unknown Whether Cloud Service Providers Would Report a Data Loss/Recovery Incident – More than half of the surveyed organizations use a cloud storage service provider. While 69 percent of the respondents feel notification from the cloud provider should be required if their servers crash and drives are outsourced for data recovery, only a small percent (less than 10 percent) are confident that their service provider would notify them if they engaged the services of a data recovery provider. Fifty-seven percent are not confident that they would be informed at all.
Leading Security Guidelines are not Considered When Selecting a Data Recovery Provider – According to the study, 54 percent of respondents do not require third-party data recovery vendors to comply with leading security guidelines such National Institute of Standards and Technology (NIST) and International Organization of Standards for Business, Government and Society (ISO).
Based on the Ponemon findings, organizations should have policy and guidelines in place for selecting and using a data recovery service provider. In addition, organizations need to address potential new threats to the security of data during the data recovery process, including business associate agreements for cloud storage providers that outline the need for notification should a data loss occur and the services of a data recovery vendor be engaged. Respondents of the Ponemon studies developed a Data Security Checklist for vetting third-party data recovery service providers.
Healthcare organizations, government agencies and financial organizations are required by law to meet the most stringent data security guidelines and are now requiring third-party data recovery vendors to meet these same guidelines. DriveSavers adheres to the Gramm-Leach-Bliley Act Data Security Rule (GLBA), the Data-At-Rest mandate (DAR), the Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA).
DriveSavers Data Recovery, the worldwide leader in data recovery services, provides the fastest, most reliable and only certified secure data recovery service in the industry. DriveSavers is the only data recovery company to post proof of annual, company-wide SAS 70 Type II Audit Reports and its HIPAA data security compliance. DriveSavers High Security Service adheres to US Government security protocols, the Gramm-Leach-Bliley Act Data Security Rule (GLBA), the Data-At-Rest mandate (DAR) and the Sarbanes-Oxley Act (SOX). DriveSavers maintains the most technologically advanced Certified ISO 5 (Class 100) cleanroom in the industry and is authorized to open storage devices by all major storage device manufacturers without voiding the warranty. DriveSavers engineers are trained and certified in all leading encryption and forensics technologies. Satisfied customers include: Bank of America, Google, Lucasfilm, NASA, Harvard University, Salvation Army and The Rolling Stones. (http://www.drivesaversdatarecovery.com)