Security guidelines are disregarded in case of an emergency


 / 10. October. 2017

Bigger companies have sophisticated security policies and process descriptions which include backups and data recovery (amongst others). Profound audit and comprehensive data security declarations are also common. But emergency plans including concerning an external data rescuer in case of data loss are often neglected. In case of a critical system breakdown security guidelines are suddenly disregarded and servers, RAID system or hard drives with sensitive data are given away to external service providers without any prior security checks.

Data thieves steal from third parties

Some data rescue providers send the defective data carriers to recovery labs abroad without informing their clients. Organised data thieves tap sources via third parties. If data is lost or stolen this way the company suffers twice, because liability risk somes along: According to the data security law the owner is liable for their information, if they don’t check the safe processing of their data in the run-up. Hereby the data security law demands a service provider audit.

Emergency plan for data rescue

Especially banks, healthcare and research companies with sensitive data should work on individual emergeny plans for data rescue. An essential aspect is that the data rescue partner is already audited bevor the catastrophe happens. So the choice of a trustworthy data rescue partner should certainly be included in the security policy.

Further potential hazard: used data carriers

Old hardware is often returned to the IT service provider or sold or given away to the employees by the company. Data destruction is therefore insufficient in many cases, as test purchases of hard drives on auction platforms have shown. This way data carriers with sensitive data are passed on the new owners. They are often only formatted or deleted – even a semi-professional data rescuer is able to restore the data! Individual hard drives or SSDs from RAID arrays may also contain sensitive data. Therefore it is recommandable to have the internal deletion processes checked by a professional data rescuer on a regular basis.

Über den Autor / die Autorin:

Nicolas Ehrschwendner ist Geschäftsführer von Attingo Datenrettung und seit über 25 Jahren in der IT-Branche. Sein Expertenwissen umfasst Datenrettung im Storage-Umfeld (RAID 5, RAID 6), Herstellung virtueller Maschinen in unterschiedlichsten Umgebungen sowie Programmierung hauseigener Datenrettungssoftware und individueller Tools.