Erasing data securely isn’t particularly difficult, if you combine a robust process with the determination that it is followed correctly. It also requires the understanding that not all data removal methods are created equal. Employees responsible for using and sharing corporate data must understand their responsibilities around erasing data. And the IT professionals responsible for erasing data when it is no longer needed must have appropriate motivation to keep policies up-to-date and regularly enforced.
At a recent meeting at the Goring Hotel in central London, sponsored by secure data erasure specialists Blancco Technology Group, a dozen senior privacy, security and data professionals discussed how best to manage the critical issue of secure data erasure.
A simple process
It is crucial for any organisation to be able to erase redundant data securely, both to protect confidential or proprietary information from unauthorised access, and to comply with increasingly stringent consumer data protection mandates, including Europe’s General Data Protection Regulation (GDPR).
And while creating and implementing comprehensive data sanitisation policies takes effort, the actual process is relatively simple, it was agreed, so long as sensible and practical steps are taken. In fact, there are just four steps in the data erasure process: identify, erase, verify and certify.
The first step is to identify data that can be erased. Perhaps it is obsolete, it is simply no longer needed or it has surpassed its legal retention period? Perhaps it has been corrupted? Perhaps it is so trivial it doesn’t matter? Perhaps it is redundant (duplicative)?
Whatever the reason, it’s important to check the data really is no longer needed and is free to be disposed of. So ask some questions:
• Who owns the data? What department, system, role, or personnel created the data? Consult with them on the value and use of that data, along with any backups
• Is erasing it a risk? Conduct a systems analysis to see whether any important processes will be affected if the data is erased
• Are there mandated retention periods for the given data, and if so, is that data captured elsewhere for the assigned timeframe?
Based on the answers to these questions, you can decide whether erasing the data is appropriate or whether some other action, such as on- or off-site storage, is appropriate.
Of course, it is easy to say that the data isn’t obsolete. Perhaps one day it might be needed? Discipline is needed here. People should be taught that if data is not an asset, then it is a liability. This principle should be reflected in your organisation’s retention and IT security policies, which in turn should be compliant with regulations such as GDPR, HIPPA, PCI DSS and NIST SP 800-88, as well as internal security policies and best practices.
Once data has been identified for erasure, the next step is to erase it. If there is a large backlog of data to erase, treat this as a project where there are milestones and early wins so people can see progress – don’t wait until the end of the project to report results.
After any initial project, data erasure should be a continuous process where obsolete and redundant data is highlighted as it becomes unnecessary and treated appropriately. This may well involve a change to existing processes. It is likely to involve difficult cultural change, as the default mindset in many organisations is to keep data, ‘just in case’.
Verify and Certify
The third and fourth steps in the process are to verify the data has been securely erased and ensure that you have the documentation to prove it. This is crucial in the event that you must prove data sanitisation to regulators or to a client. Has permanent data erasure really taken place? Don’t forget to consider duplicated data on the networks of your partners and suppliers, and in the cloud.
Making data erasure work
There is more to data erasure than this simple ‘identify, erase, verify, certify’ process, though. It takes effort, so you will need to build a business case for it. To do that: highlight an issue that could cause damage or waste resources; identify the potential cost (GDPR fines are very useful here); and identify the cost of fixing it. It will also be helpful to identify the benefits of data erasure: a smaller data attack surface, less data to manage and store, and a record of compliance with data privacy and protection mandates.
Someone must lead this process. Is the only consideration cost, or are there other issues such as sustainability and ethical data handling? Ultimately, it must be the organisation’s leaders who set the policy, sign off the controls that support the policy and monitor the effectiveness of the policy.
But they need the right information to do this. So, an organisation needs to decide what that information is and, importantly, who can present information to the board in a way they will engage with. Who is credible and has their ear? This person could be from anywhere in the organisation – eg, the risk function or finance – but they must understand the significance of the data under discussion.
While organisational leaders don’t necessarily need to understand the relevant technological issues, they will need to ensure the people responsible for defending data have access to the right information and guidance, including access to experts in the area.
In many organisations, the non-executive directors have an important role in ensuring the board takes accountability for the risk of data breaches around old and new data, and for data erasure policies.
While organisational leaders should have accountability for data erasure, a specialist such as a chief data officer will be responsible for designing the processes for data erasure. This can be difficult in large organisations where different business units may well share data and have different priorities around its usage and storage.
This can imply the need for some form of over-arching data owner who has responsibility for keeping or erasing corporate data, and who can act as an impartial umpire when different parts of the organisation clash over data erasure policies.
A robust and up-to-date policy – ‘As up to date as it can be,’ delegates emphasised, in light of rapidly changing technology – is an essential tool. Organisational leaders and senior management must sign off and believe in this policy. And they must believe in its importance.
When developing a data erasure policy, consider:
• What government and industry regulations and standards require
• How the policy will be audited to see how it is working and where any dangers are apparent
• Processes and ways of working that achieve the policy’s objectives of secure erasure
• The feedback loop for reporting back to those who have authority on how the policy is performing
Policy needs to be supported by processes designed to deliver on policy objectives. For example, some of Blancco’s customers verify their data erasure policies are working by sending redundant and malfunctioning drives to third-party data recovery organisations to prove that no data remains on them. This is a good practice and also may help make the business case to the organisation that data erasure is secure.
Appropriate processes for secure data erasure should be based on the policy and supporting controls. Processes need to include:
•Ways of working that reduce the risk of creating redundant data
• Ways of working that signal when data becomes obsolete or corrupted or when redundant versions are created
Evangelising and adopting these processes throughout an organisation involves multidimensional change management practices that include:
• The ability to access the policy
• The ability to understand the policy (training)
• Campaigns to generate continuous awareness of the importance of data erasure
•A code of conduct that people have signed up to – and in which they believe
Creating strong processes can be challenging but rewarding. Large organisations are likely to have complex requirements, including legacy systems that may make it hard to spot when data becomes obsolete or when redundant instances of data are created. In contrast, small organisations are often simply bad at process. For both large and small organisations, the automation of straightforward tasks – e.g., data erasure based on retention rules or file types – can be helpful.
Explaining the importance, as well as the challenge of secure data erasure, will help IT professionals engage with this issue.
It can also help if the importance of data erasure across the organisation is emphasised. Explain the value, not just for IT, but also for marketing (for branding issues), legal (for compliance issues), and for the organisation’s leadership team (for reputational issues). Positioned well, the professionals responsible for data erasure can be heroes across the organisation.
But data erasure isn’t just the responsibility of IT professionals. It is something that all employees need to address. And that is where cultural change comes in – not something perhaps that most IT professionals usually deal with but an important skill for anyone hoping to move to senior positions within an organisation.
At the basic level, there is a need for people to have the right information, and to understand it. Training people in data erasure processes isn’t just about what they should do; it’s also about why they should do it. Train people so they understand their responsibilities and roles in keeping data safe.
Self-reporting is also important. Where employees make, or see, errors and omissions in relation to data policies, such as the creation of redundant instances of data or data that is kept for longer than it should be, they need to have the confidence to raise the issue.
Of course, if your organisation has a blame culture, then people are very unlikely to report when they make errors. And that’s why having a culture where the organisation encourages employees to learn from mistakes, rather than punishing them, is very productive. (Of course, as several delegates pointed out, there is a line to be drawn between an honest mistake and repeated negligence or even wilful misconduct.)
Ultimately, though, there is a requirement to understand what drives people to keep data safe. Is it fear or pride in a job well done? Is it because appropriate data erasure is seen as important for an organisation’s customers? Is it because sustainable business practices, such as the recycling or donation of equipment that once held corporate data, are promoted through secure data erasure?
Whatever the reason, organisations must encourage these drivers. Data sanitisation is a small but crucial part of any organisation’s drive towards efficiency and profitability.
Blancco is the industry standard in data erasure and mobile device diagnostics.
Blancco data erasure solutions provide thousands of organisations with the tools they need to add an additional layer of security to their endpoint security policies through secure erasure of IT assets. All erasures are verified and certified through a tamper-proof audit trail.
Blancco data erasure solutions have been tested, certified, approved and recommended by 15 governing bodies and leading organisations around the world. No other data erasure software can boast this level of compliance with the rigorous requirements set by government agencies, legal authorities and independent testing laboratories.
For a free trial of Blancco’s secure data erasure software, click here.