The cybersecurity world continues to evolve, shifting from reactive to proactive measures from individual efforts to well-equipped security teams, and from one-size-fits-all solutions to tailored cybersecurity approaches. The rise in internal threats made way for zero-trust policies. Meanwhile, the growing cyber risks convinced startups and SMEs that they too are vulnerable to attacks and the financial and reputational impacts underlined the seriousness of cybersecurity across all industries.
Cybersecurity measures include multi-factor authentication, strong passwords, and AI-enabled security. Artificial intelligence can now be leveraged to detect the presence of Personally Identifiable Information (PII) in documents, notify about the possibility of threats, and prevent data from getting lost. However, the most critical parts of any business – data classification and data erasure – are mostly overlooked while considering cybersecurity measures, making it more vulnerable to cyberattacks.
Data Erasure in Cybersecurity
Data erasure serves as a preventive cybersecurity control to erase data permanently from drives and devices. With no residual data, businesses get confidence that no data can be recovered even with forensic data recovery tools. Secure data erasure helps in mitigating risks and achieving compliance with globally governing data protection laws and regulations. Data protection laws like GDPR in Europe, CCPA in California, PIPEDA in Canada, Ley 25.326 in Argentina, etc. emphasize the requirement of storing data of your clients, customers, or consumers only for necessary purposes. Many of them (including those not listed here) explicitly mention retention periods after which it is unlawful to use and store data. There are grave consequences for not complying with these laws and regulations such as huge penalties per offence and imprisonment for the violators. Add to the misery: lawsuits, operational downtime, cost of damage control, hit to the hard-earned reputation and millions of unhappy customers.
Other than this, industry-specific regulations like HIPAA, SOX, PCI-DSS, etc. also govern how personal data is processed by organizations, which also enforce penalties on non-compliance. In 2020, Morgan Stanley incurred a close to USD $100 million fine for improper data disposal. The fines were imposed by both Securities and Exchange Commission (SEC) and United States Office of the Comptroller of the Currency (OCC) for USD $35 million and USD $60 million, respectively.
Likewise, on Aug 12, 2024, came the confirmation from a background-check business, National Public Data, of probably one of the biggest data breaches of all time. The records of 2.9 billion people were exposed in the breach. The names, social security numbers, and other personal information of even deceased people were now out in the open. As of now, there are no specific financial penalties imposed. However, the parent company, Jerico Pictures filed bankruptcy in October, subsequently after a few months.
It is clearly evident that more data can become a liability rather than an asset if not secured sufficiently, both in terms of storage and erasure. Data erasure is critical when its owner revokes their consent, the retention period gets over, and even when there are no legal obligations for data to be retained. Let’s learn about the necessity of data wiping when securing a business:
- Identifying Major Data Handling Concerns: Assessing the current technology can give an idea of the major pain points such as the presence of Redundant, Obsolete, and Trivial (ROT) data on onsite and remote devices, IT assets that have reached their end-of-life, outdated devices with no security patches or bug fixes, etc. This can raise important questions: “Do we have the budget to hire a Managed Service Provider (MSP) or an Information Technology Asset Disposition (ITAD) company?” “Is there a data destruction policy in place to wipe data remotely?” “Should we hire an in-house Data Protection Officer (DPO) or avail the services before audits?”
- Creating Data Sanitization Policy: Destroying data infers rendering data inaccessible or unreadable. However, there are chances that residual data could still be present even after data destruction completes. Shredding, burning, incinerating, disintegrating, or degaussing destroy the IT assets and harm the environment. Sanitizing data by overwriting technique (data wiping) will provide the dual benefit of permanent data erasure and reduction of e-waste. Thus, organizations should have a data sanitization policy in place that guides on safe disposal of data at times like when the device is of no use for them, the data stored on cloud storage platforms has served its purpose, or the device has changed its ownership. Organizations must ensure that their business partners, third-party clients, stakeholders, and managed service providers have an efficient data sanitization policy as well.
- Implementing a Comprehensive Cybersecurity Strategy: Create and implement a cybersecurity strategy keeping into consideration factors like onsite and remote workers, allocated budget to cybersecurity goals, data and assets critical to your business, and most importantly, how the data will be put to rest at the end of the lifecycle or reallocation. To take care of immediate and foreseeable security risks, a scheduled timeline with reminders for erasure of data that has no legal, statistical, or research purposes should be implemented and updated. Using scalable, certified data erasure tools like BitRaser is recommended for any organization to include in their cybersecurity strategy.
- Compliance with Data Protection Laws and Regulations: If your company processes PII, financial information, medical data, and similar sensitive information, then the data privacy and protection laws are applicable to you. These laws require evidence that data has been erased and cannot be recovered even using forensic data recovery tools. A certificate of erasure or a certificate of destruction serves as the proof to be presented to the enforcement authorities. It should have details such as but not limited to scope, purpose, storage media type, verification, recognized methods of data destruction, serial number (for tracking the media), and responsibilities of CIO/ CISO, and DPO.
Conclusion
Although solutions and strategies for reliable and resilient cybersecurity are abundant, so are the myths that surround it. Deletion of data is never a full-proof erasure. Data erasure is definitely an essential component of cybersecurity, and a certificate of erasure helps businesses earn the honor of compliance. Remember that any lapses in cybersecurity and data erasure can lead to a data breach episode and millions of dollars in penalty. We must not forget that according to IBM’s Cost of Data Breach Report, 2024, the average cost of a data breach has risen to USD $4.45 million, which is a 15% increase over the past 3 years. Break the vicious circle of assumptions to complete the picture of cybersecurity.
