Irish firms need to be more proactive about data loss

12 Feb 2009

Over the past year, Ireland has been rocked by embarrassing public- and private-sector data leaks. Firms need to get more proactive, says Ciaran Farrell, business development manager of Kroll Ontrack.

Apart from individuals losing laptops and data keys, what are the most common mistakes firms are making with their data?

One of the big issues is the way firms deal with dead data. Most of them don’t know how to fully erase sensitive data from old computers.

Often what happens is they might donate old computers to a local school or just throw them into a skip.

Even if data is deleted from a drive, it still exists. All that is removed is the pointer to that data, and skilled data thieves know how to retrieve data. There are technologies available to permanently erase old computers.

With all the recent embarrassing disclosures, do you think firms are maturing in their attitude to managing old, but sensitive, data?

The more and more we hear about banks and state agencies being caught out, the more firms are taking the management of data seriously.

What most IT managers are doing is putting in place a life-cycle plan so that when data reaches the end of its useful life, it is correctly disposed of.

This is an educational process and it is backed up by tough data protection rules. Firms need to remember that if they carry data on customers, they have strict laws to uphold.

Recent research reveals that most organisations have yet to appoint a data protection manager. Do you see this changing?

It’s hard to say, but in this day and age data falling into the wrong hands is a liability, not only for the firm in terms of publicity and possible fines, but also in the eyes of customers who have trusted the firm.

There’s a bit of a knowledge gap in many companies, an assumption that data loss could never happen to me.

Would it be fair to say that many businesses aren’t in control of the data they need, and not just dead data?

Compliance rules mean firms are paying greater attention to information retrieval but, in many cases I’ve seen, when companies are asked to retrieve data, they don’t know where it is.

I would encourage organisations to take a more proactive look at how they are archiving their data and do an audit. If you get a call, compliance and law requires that you can re-earth data going back years.

Often firms have the data backed up, but don’t know how to retrieve it speedily. However, with the onset of cloud computing, server virtualisation and data backup providers, the situation is improving.

Do you expect to see more embarrassing disclosures about lost or stolen laptops, BlackBerrys and USB devices?

There will continue to be disclosures but, overall, I think the future is bright. It’s human nature for people to wait until something happens, but they’ve been reading about what can go in the papers for some time.

Legislation is pushing companies into a position where they have to act. Uptake is slow, but people are coming around to the correct way of thinking.

The continuing danger is the fact that it’s very easy to just copy data into an email or onto a USB key, and firms need to have policies in place.

By John Kennedy