Manage Learn to apply best practices and optimize your operations.

Data recovery service provider checklist: Who really has your data?

What do you know about your data recovery service provider? Learn what to ask before you trust one with your data -- and what you're risking if you neglect to properly vet.

Ponemon Institute LLC, a privacy and information management research center, has put together a checklist for vetting third-party data recovery service providers based on the results of a recent survey. The survey garnered information about data recovery operations within organizations across the country and yielded some surprising results, including the fact that many companies do not properly vet data recovery service providers as they would any other service provider, largely because it's not always a long-term partnership.

Disaster recovery resources
Mobile data recovery services for disaster recovery FAQ

Disaster recovery services options for smaller businesses on a budget
"Organizations are selecting the least expensive [data recovery] option or whoever can get [a device] back in the shortest amount of time and sacrificing security," said Larry Ponemon, the institute's founder and chairman.

The independent study surveyed 636 IT security and IT support practitioners actively involved in their organization's data security or data recovery operations. Seventy-nine percent of respondents reported that their organizations have used or will use third-party data recovery service providers to recover lost data. And while 82% of respondents believe that data security should be a major criterion when selecting a data recovery service provider, only 20% say it's a major factor today.

With more compliance regulations, legal mandates and security protection protocols popping up across the country, security awareness is heightened, according to Paul Reymann, CEO of security consulting firm Reymann Group Inc. But while increased awareness is leading organizations to uncover hidden "sleeper risks," they aren't always top priority.

"Let's face it, data recovery is not sexy," Reymann said. "When prioritizing risks, the focus is on insider threats, network and device security and cybercrime -- not where we're sending our laptops out for repair. That's not grabbing anyone's attention."

But it should. Companies have more mobile devices floating around their networks than ever before -- each carrying some level of sensitive data. While this is a huge problem for all organizations, Reymann said smaller companies have a lot more to lose in the event of a data breach and should be paying special attention to where their data ends up.

"Larger companies have larger volumes of data to protect so the risk [of lost data] is higher, there are more devices and employees to account for," he said. "But for the little guy, they don't have the resources or the finances to bounce back from a data breach -- so they won't survive."

Finding a secure data recovery service provider

In many organizations, Reymann said, data recovery is lumped in with disaster recovery and business continuity plans. And while this approach may work for some situations, not all devices are properly and regularly backed up. Plus, there are those one-off, crunch-time situations that arise, and that's where many organizations struggle to find a safe service provider, Reymann said.

Weak links in the
data recovery chain
How often do security breaches actually occur? "More often than you care to know about," according to Larry Ponemon, founder and chairman of Ponemon Institute LLC.

In one case, Ponemon said that a financial services company worked with a data recovery provider and at first, it went well. Then the financial services company started getting customer complaints of identity theft. "Come to find out, the data recovery company had criminals working for them who were stealing this data, making copies and then selling it," he said.

And even if your company isn't the prime target, the data recovery services provider you're working with might be. "If you send your laptop out, whether it's to a two-person team that does this part time in their garage or just an organization that isn't mindful of the data, they are the weakest link in the chain," he said. "Your data is a lot easier to get to through them." -- K.C.

"If you Google data recovery services, you get 42 million results," he said. "Without some independent standard to compare these up against, how does the average midmarket IT shop pinpoint a reliable and affordable option?"

Ponemon recommends vetting data recovery service providers by asking the following questions:

  • Does the provider have some type of independent verification proving that they are compliant with information security controls, International Organization for Standardization guidelines and PCI DSS? Look for proof of internal IT controls and data security safeguards such as compliance with SAS 70 audit reports.
  • Are engineers trained and certified in all leading software products and platforms? "You want to make sure that the people that are doing this are actually going to be doing it right," Ponemon said. Look to see that there are Certified Information Systems Security Professionals and other people with credentials demonstrating their knowledge.
  • Is there proof of chain-of-custody documentation and a certified secure network? Once it leaves your organization and is in someone else's hands, "You want to make sure your data is accounted for every step of the way," Ponemon said.
  • Are employees vetted and are their backgrounds checked?
  • Is data secured and permanently destroyed when required? "[The service provider] may keep an image as backup for a period of time, but this should be kept for a short amount of time and then permanently destroyed," Ponemon said.
  • Are data files encrypted while in transit?
  • Is there proof of an ISO 5-certified (Class 100) cleanroom? "A lot of data recovery done within organizations or outsourced is not done in a cleanroom," Ponemon said. "Dust could render the entire process useless."

Let us know what you think of this tip; email Kristen Caretta, Site Editor, or follow her on Twitter @kcaretta.

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.