Managing the risk of a data breach in today’s environment of mounting digital threats on assets and proprietary data is an ongoing battle for many businesses. The Ponemon Institute’s 2014 Cost of Data Breach study found that the average cost of an organization’s single data breach is $5.9 million. While most businesses have a dynamic, layered security practice in place, third-party data recovery vendors continue to be the exception.
Featured Download: Social media access at work. Do your employees know the rules?
There are many reasons businesses need to protect themselves from a possible data breach via third-party data recovery providers. Besides the loss of private information (both company and customer), the cost of a data breach can be devastating to any company.
DriveSavers, the leader in data recovery, eDiscovery and digital forensic solutions has compiled best practices for businesses to implement for protection and to close the security gap in the data recovery process.
1. Gap Analysis
An internal inventory must be conducted to determine if a security gap exists within an organization. A company should be able to answer the following questions:
– When a storage system fails, is the drive sent to a data recovery vendor?
– Is an incident report filed?
– What is the data recovery vendor selection criterion?
– What is the current audit and assessment process for third-party data recovery vendors?
2. Internal and External Policy Revision
Once a security gap is identified, internal procedures should be revised accordingly to include business continuity, disaster recovery and incident response plans. Additionally, updated external policies should be applied to all third-party data recovery vendors handling the organization’s sensitive or regulated data.
3. Maintain Enforcement
Revising policy, procedure and practice to mitigate the gap is the first step. However, companies must ensure enforcement of internal and external policies through mandatory annual security reviews and employee training deployment.
4. Vet Any Incoming Third-Party Data Recovery Providers
Any certified data recovery vendor should have up-to-date documents from a third-party security auditing company that comply with SOX and GLBA. An SOC II Type 2 certification, for example, satisfies these and several other regulations. In addition, the SOC II Type 2 certification requires background checks for all employees prior to employment. Data recovery, after all, is the perfect vocation for identity thieves and other criminals.
The following criterion should be used:
– Proof of internal information technology controls and data security safeguards, such as annual SOC 2 Type II audits
– Training and awareness programs for employees to ensure sensitive and confidential data is protected
– Engineers trained and certified in all leading encryption software products and platforms
– Proof of Chain of Custody documentation and certified secure network
– Vetting and background checks of all employees
– Secure and permanent data destruction when required
– Use of encryption for files in transit
– Proof of a certified ISO Class 5 Cleanroom
By implementing these four steps, companies can protect themselves against a data breach by closing the security gap in the data recovery process. With a thoroughly vetted data recovery company as part of the security protocol of a business continuity, disaster recovery and incident response plan, companies are able to act quickly and securely in the case of an unexpected data loss emergency.
Do you have any tried and true security practices your business has implemented? If so, we’d love to hear!
About DriveSavers Data Recovery
DriveSavers Data Recovery is a worldwide leader in data recovery, eDiscovery and digital forensic services, and provides one of the fastest, most secure and reliable recovery services available. The company employs over 85 professionals and supports over 14,000 business partners. Most of its business comes from referrals and repeat customers. DriveSavers Data Recovery has earned the reputation as a trusted and respected data recovery service provider.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.