Data recovery services are often used in an emergency – for example, when a drive fails and the data must be recovered ASAP. However, a new study suggests the need to get recovery done quickly leads many companies to put their data in the hands of third-parties that jeopardize its security.
The majority of organizations (85%) have used third-party data recovery services to rescue lost data when hard drives and other storage devices fail, according to a recent study conducted by the Ponemon Institute and sponsored by service provider DriveSavers.
The drives sent to recovery services often contain critical and sensitive data — after all, it’s important information that needs to be saved. But lax security on the part of those third-party companies often leads to breaches of the organization’s data. In fact, among the organizations that have had a data breach in the past two years, 21% said the breach occurred while a drive was in the possession of a data recovery service provider.
Still, companies aren’t doing enough to vet the service providers they use. Just 8% of the 769 IT pros surveyed say their organization’s process for picking service providers is excellent, and only 26% say it’s good.
And the time-sensitive nature of data recovery needs typically means security concerns are passed over when providers are chosen. The speed of the service was the top factor that went into choosing a provider, cited by 81% of respondents.
Another problem may be that the need to act quickly too often leads to individual users or other departments enlisting the help of data recovery service providers without IT’s involvement. Just 44% of survey respondents said their organization’s information security department oversees the security of data recovery operations. That can be a big problem, as only 21% say users in their organizations are aware of the need to consider the security, reliability and expertise of third-party data recovery services.
What can be done to better prevent breaches of data caused by the lax security of recovery services? The report recommends organizations:
- Develop formal policies and procedures that must be followed when a data recovery service provider is used
- Before using a provider’s services, verify that its employees are trained in security practices and that security safeguards are in place at the company, and
- Require data to be encrypted while it’s sent back to the organization.