We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Can you trust data-recovery service providers?

Data-recovery service providers are supposed to be saving important data for you when something goes wrong -- a drive crashes or storage device is dropped, and no backup is available. But do you trust them with the important data you let them recover or could they actually be a source for a data breach?

Security roundup: DoD revving up cyber-defense for 2012

A survey of 769 IT professionals published this week finds those surveyed need to find out more about the third-party data-recovery services their organizations use. For example, according to the survey, 67% felt that encryption they had in place protected their organizations from data loss or theft during the data recovery process. But encryption keys are often handed over to the third-party data recovery service provider as part of the process, according to the study done by Ponemon Institute.

Ponemon's "Trends in Security of Data Recovery Operations" report says of the 87% of survey respondents who said their organization had at least one data breach in the past two years, "21% say the breach occurred when a drive was in the possession of a third-party data service provider."

The Ponemon survey suggests IT professionals may be a little in the dark. Thirty-two percent of the IR professionals admitted they were unclear about the vetting process for selecting the data-recovery service provider, and 11% outright declared it to be "poor." Another 25% judged it "fair," and only 32% deemed it "excellent" or "good." The speed and success of the provider were the most important factors for the survey's respondents, but little consideration was given to confidentiality and security. The survey was sponsored by DriveSavers Data Recovery.

The IT desktop and helpdesk managers were the most responsible for selecting the data-recovery service providers, but only about half of the survey's respondents said IT security is involved. Final selection of the vendor is often based on a background check of the vendor and analyzing the vendor's storage-device disposal procedures.

In the survey, less than half said they do ask the data-recovery service provider to adhere to some sort of security guidelines. The most requested security was encryption for data files in transmit mentioned by 28%, a Certified ISO (Class 100) "cleanroom" by 23%, as well as a demand of evidence of safe handling of devices by 23%. But only 16% said they demanded proof-of-custody documentation, though 80% said they should require it. Less than a third were confident they'd be notified if a data breach resulted from errors or mistakes.

Cloud service providers also figured into the survey, with the Ponemon Institute asking survey respondents how much was known about their cloud-service provider's data-recovery practices, if any. Fifty-five percent said their organization does use a cloud-service provider, but only 19% expressed any degree of confidence that if the cloud-service provider engaged a third-party data-recovery vendor, it would let them know.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model