Ponemon Institute LLC, a privacy and information management research center, has put together a checklist for vetting third-party data recovery service providers based on the results of a recent survey. The survey garnered information about data recovery operations within organizations across the country and yielded some surprising results, including the fact that many companies do not properly vet data recovery service providers as they would any other service provider, largely because it's not always a long-term partnership.
The independent study surveyed 636 IT security and IT support practitioners actively involved in their organization's data security or data recovery operations. Seventy-nine percent of respondents reported that their organizations have used or will use third-party data recovery service providers to recover lost data. And while 82% of respondents believe that data security should be a major criterion when selecting a data recovery service provider, only 20% say it's a major factor today.
With more compliance regulations, legal mandates and security protection protocols popping up across the country, security awareness is heightened, according to Paul Reymann, CEO of security consulting firm Reymann Group Inc. But while increased awareness is leading organizations to uncover hidden "sleeper risks," they aren't always top priority.
"Let's face it, data recovery is not sexy," Reymann said. "When prioritizing risks, the focus is on insider threats, network and device security and cybercrime -- not where we're sending our laptops out for repair. That's not grabbing anyone's attention."
But it should. Companies have more mobile devices floating around their networks than ever before -- each carrying some level of sensitive data. While this is a huge problem for all organizations, Reymann said smaller companies have a lot more to lose in the event of a data breach and should be paying special attention to where their data ends up.
"Larger companies have larger volumes of data to protect so the risk [of lost data] is higher, there are more devices and employees to account for," he said. "But for the little guy, they don't have the resources or the finances to bounce back from a data breach -- so they won't survive."
Finding a secure data recovery service provider
In many organizations, Reymann said, data recovery is lumped in with disaster recovery and business continuity plans. And while this approach may work for some situations, not all devices are properly and regularly backed up. Plus, there are those one-off, crunch-time situations that arise, and that's where many organizations struggle to find a safe service provider, Reymann said.
"If you Google data recovery services, you get 42 million results," he said. "Without some independent standard to compare these up against, how does the average midmarket IT shop pinpoint a reliable and affordable option?"
Ponemon recommends vetting data recovery service providers by asking the following questions:
- Does the provider have some type of independent verification proving that they are compliant with information security controls, International Organization for Standardization guidelines and PCI DSS? Look for proof of internal IT controls and data security safeguards such as compliance with SAS 70 audit reports.
- Are engineers trained and certified in all leading software products and platforms? "You want to make sure that the people that are doing this are actually going to be doing it right," Ponemon said. Look to see that there are Certified Information Systems Security Professionals and other people with credentials demonstrating their knowledge.
- Is there proof of chain-of-custody documentation and a certified secure network? Once it leaves your organization and is in someone else's hands, "You want to make sure your data is accounted for every step of the way," Ponemon said.
- Are employees vetted and are their backgrounds checked?
- Is data secured and permanently destroyed when required? "[The service provider] may keep an image as backup for a period of time, but this should be kept for a short amount of time and then permanently destroyed," Ponemon said.
- Are data files encrypted while in transit?
- Is there proof of an ISO 5-certified (Class 100) cleanroom? "A lot of data recovery done within organizations or outsourced is not done in a cleanroom," Ponemon said. "Dust could render the entire process useless."