Data-recovery service providers are supposed to be saving important data for you when something goes wrong -- a drive crashes or storage device is dropped, and no backup is available. But do you trust them with the important data you let them recover or could they actually be a source for a data breach?
Security roundup: DoD revving up cyber-defense for 2012
A survey of 769 IT professionals published this week finds those surveyed need to find out more about the third-party data-recovery services their organizations use. For example, according to the survey, 67% felt that encryption they had in place protected their organizations from data loss or theft during the data recovery process. But encryption keys are often handed over to the third-party data recovery service provider as part of the process, according to the study done by Ponemon Institute.
Ponemon's "Trends in Security of Data Recovery Operations" report says of the 87% of survey respondents who said their organization had at least one data breach in the past two years, "21% say the breach occurred when a drive was in the possession of a third-party data service provider."
The Ponemon survey suggests IT professionals may be a little in the dark. Thirty-two percent of the IR professionals admitted they were unclear about the vetting process for selecting the data-recovery service provider, and 11% outright declared it to be "poor." Another 25% judged it "fair," and only 32% deemed it "excellent" or "good." The speed and success of the provider were the most important factors for the survey's respondents, but little consideration was given to confidentiality and security. The survey was sponsored by DriveSavers Data Recovery.
The IT desktop and helpdesk managers were the most responsible for selecting the data-recovery service providers, but only about half of the survey's respondents said IT security is involved. Final selection of the vendor is often based on a background check of the vendor and analyzing the vendor's storage-device disposal procedures.
In the survey, less than half said they do ask the data-recovery service provider to adhere to some sort of security guidelines. The most requested security was encryption for data files in transmit mentioned by 28%, a Certified ISO (Class 100) "cleanroom" by 23%, as well as a demand of evidence of safe handling of devices by 23%. But only 16% said they demanded proof-of-custody documentation, though 80% said they should require it. Less than a third were confident they'd be notified if a data breach resulted from errors or mistakes.
Cloud service providers also figured into the survey, with the Ponemon Institute asking survey respondents how much was known about their cloud-service provider's data-recovery practices, if any. Fifty-five percent said their organization does use a cloud-service provider, but only 19% expressed any degree of confidence that if the cloud-service provider engaged a third-party data-recovery vendor, it would let them know.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.