The PC Recycle Bin Lurks as a Major Data Breach Source
Much has been made of policies around network access and data storage security in the fight against data breaches. But the lowly PC Recycle Bin lurks as one of the biggest sources of breachiness out there.
According to a study from Blancco Technology Group, more than half (53%) of global IT professionals confuse “erasing” data with “deleting” data. In fact, about a third (31%) reported dragging individual files to the Recycle Bin. That’s a problem considering that more than half (51%) of the respondents believe files are permanently gone when they empty the Recycle Bin on their desktop computers/laptops.
“Over the last several years, we’ve worked with businesses in the finance, healthcare and government sectors to help them understand the need to permanently and verifiably erase data from IT equipment and devices,” said Richard Stiennon, a former Gartner analyst and chief strategy officer of Blancco. “But while organizations may see the value of data removal when their equipment reaches end of life, they often overlook and dismiss the importance of erasing active files from desktop computers, laptops, external drives and servers. In doing so, they leave large volumes of sensitive, confidential and potentially compromising data exposed and vulnerable to loss or theft.”
The study also found that about a fifth of respondents (22%) said they reformat the entire drive to eliminate data. And half (51%) believe performing a quick format and/or full reformat of a computer’s entire drive is sufficient.
Despite a clear lack of understanding about how their computers actually work, data removal, historically overlooked or considered a lesser security threat, is inching up the list of IT security priorities. Over one-third (34%) of the respondents said data removal is high on their overall list of IT security priorities and 47% place it in the middle of their priority list.
About 14% of IT professionals are most concerned with securing confidential product development materials, followed by company revenue statements (12%), customer contracts (11%), usernames and passwords to the company intranet (10%), and login credentials to company systems and portals (9%).
Stiennon said, “With 2.5 quintillion bytes of data created every day, it’s critical that data is safely erased when it’s no longer needed, or when regulation demands its removal, as in the case of the EU GDPR. Only by controlling the metastasizing of data through secure data erasure, coupled with data retention policies, can organizations minimize the likelihood of data breaches.”
Storage and handling of IT equipment is an issue too, the study found. A third (33%) of IT professionals store non-functional desktop/laptop computers, external drives and servers in easily accessible, unsecured locations.
All of this points to a broader issue: Data retention policies need better oversight and enforcement—or implementation in the first place. About 30% of organizations don’t have written data retention or removal policies at all.
Source: Information Security Magazine