Data-recovery service providers are supposed to be saving important data for you when something goes wrong - a drive crashes or storage device is dropped, and no backup is available. But do you trust them with the important data you let them recover or could they actually be a source for a data breach?
A survey of 769 IT professionals published this week finds those surveyed need to find out more about the third-party data-recovery services their organisations use. For example, according to the survey, 67 percent felt that encryption they had in place protected their organisations from data loss or theft during the data recovery process. But encryption keys are often handed over to the third-party data recovery service provider as part of the process, according to the study done by Ponemon Institute.
Ponemon's "Trends in Security of Data Recovery Operations" report says of the 87 percent of survey respondents who said their organization had at least one data breach in the past two years, "21 percent say the breach occurred when a drive was in the possession of a third-party data service provider."
The Ponemon survey suggests IT professionals may be a little in the dark. Thirty-two percent of the IR professionals admitted they were unclear about the vetting process for selecting the data-recovery service provider, and 11 percent outright declared it to be "poor." Another 25 percent judged it "fair," and only 32 percent deemed it "excellent" or "good." The speed and success of the provider were the most important factors for the survey's respondents, but little consideration was given to confidentiality and security. The survey was sponsored by DriveSavers Data Recovery.
The IT desktop and helpdesk managers were the most responsible for selecting the data-recovery service providers, but only about half of the survey's respondents said IT security is involved. Final selection of the vendor is often based on a background check of the vendor and analysing the vendor's storage-device disposal procedures.
In the survey, less than half said they do ask the data-recovery service provider to adhere to some sort of security guidelines. The most requested security was encryption for data files in transmit mentioned by 28 percent, a Certified ISO (Class 100) "cleanroom" by 23 percent, as well as a demand of evidence of safe handling of devices by 23 percent. But only 16 percent said they demanded proof-of-custody documentation, though 80 percent said they should require it. Less than a third were confident they'd be notified if a data breach resulted from errors or mistakes.
Cloud service providers also figured into the survey, with the Ponemon Institute asking survey respondents how much was known about their cloud-service provider's data-recovery practices, if any. Fifty-five percent said their organisation does use a cloud-service provider, but only 19 percent expressed any degree of confidence that if the cloud-service provider engaged a third-party data-recovery vendor, it would let them know.