When data recovery becomes a data disaster

Published: February 21, 2012 by ofonseca

Your server crashed. You dropped your storage device. Your computer drive failed. And there’s no back-up in sight. Who ya gonna call? A data recovery vendor, of course.

Not so fast. Before you madly dial for help, beware of unscrupulous providers who turn data recovery services into data breach scams. According to a recent report from the Ponemon Institute, organizations are overlooking security precautions when turning to third-party data recovery services, prioritizing speed over safety at their own peril. And that peril can come in the form of a major disruption in business, financial loss, and in some cases the closure of the affected company.

Ponemon’s recent “Trends in Security of Data Recovery Operations,” which surveyed 769 IT professionals, noted that 87% of respondents had experienced a data breach in the past two years. Of these respondents, 21% admitted that the breach occurred while the drive containing the data was with a third-party data recovery service.

The report also found that:

• 85% of respondents report that their organizations have used or will continue to use a third-party data recovery service provider to recover lost data, with 39% saying they use third parties at least once each week or more.

• 54% of respondents confirmed that IT security is excluded from selecting third-party data recovery providers, which could play a role in IT support’s placement of speed over security. 81% of respondents said that speed of recovery was the most important factor in choosing a vendor, with 75% stating that the ability to successfully recover data was the paramount concern.

• 54% of respondents do not require third-party data recovery vendors to comply with leading security guidelines.

• 83% of respondents agreed that third-party vendors should be required to ensure that data is securely and permanently destroyed from their systems after the information has been recovered, but only 9% actually do so.

The report recommends that organizations institute policy and guidelines for selecting and using a data recovery service provider. This includes precautions such as agreements for cloud storage providers that outline the need for notification should a data loss occur and a data recovery service provider is hired. If third-party recovery service providers don’t adhere to the strictest data security guidelines, the healthcare, government and financial organizations that hire them could be in breach of the laws that bind them to the highest security standards.