The Low Profile, High Impact Risk to SMB Security

Friday, December 7, 2012
Posted by Kyle Thompson

If a device fails, resulting in lost or corrupted digital data, few corporations have the internal resources to recover that data, especially in the case of a physical or electromechanical failure. The device must be sent to a data recovery vendor.

These devices often hold critical IP, financial databases, accounting files, e-mail exchanges, customer records, PCI, PII and PHI. Therefore, data recovery organizations must be classified as high-risk vendors. However, most of the data recovery industry does not meet best practice standards to ensure data security. If a corporation does not perform due diligence before engaging the services of a data recovery vendor, it runs the risk of a data breach that will result in major financial and reputational damage. Luckily, DriveSavers Data Recovery has provided a series of steps to help business close the gap in security caused by your data recovery process.

Determine if a security gas exists within your company. By asking yourself the following questions, you will have a better understanding of where your weaknesses lie.

  • Are the failed storage devices being sent to a data recovery vendor?
  • Is a failed drive reported within the company?
  • What criteria are there for choosing the data recovery vendor?
  • Is there a current audit and/or assessment process for choosing a vendor?
  • Are the vendor’s security protocols vetted before engaging their services?

Revise internal and/or external policies. Once you recognize that there is a gap it’s time to reorganize and revise internal procedures. These provisions should be applicable to all of the third party vendors that are entrusted with sensitive data. Modifications may be necessary in the following areas:

  • Internal policies and incident response plans should address the use of third party data recovery service providers.
  • Internal guidelines should be created for vetting a data recovery service provider.
  • Criteria should be established for selecting data recovery vendors and the required supporting proof should be specified.

Ensure your new policies are followed. By conducting the following steps, you will be able to ensure your new procedures are implemented successfully.

  • Define a business associate risk management processes to address drive failure and data loss.
  • Schedule and conduct annual security reviews of third party data recovery service providers.
  • Develop employee training programs to ensure confidential data is protected.
  • Establish strong enforcement practices for failing to adhere to the organization’s policies.

Adjust agreements with third party recovery vendors to align with internal changes. Once you have made changes to policies and procedures, it’s important that these adjustments be reflected in your contractual agreements with any third-party vendors that could be considered high-risk, given that these organizations will be handling your company’s sensitive and regulated data. You’ll find that in most cases, while the vendor contract may include the necessary provisions, it’s important that the data recovery process be called out directly.

Continuously monitor third party vendors. While the new contract agreements and vetting protocols will decrease the security gap found within the recovery process, some data recovery vendors may require special attention with ongoing monitoring tools, some of which are provided below.

  • Annual review of vendor’s audit reports and certification documents to verify they are up-to-date.
  • Assurance that the vendor is compliant with industry-mandated data privacy/security guidelines
  • Analysis of the vendor's financial condition.
  • Testing the vendor's business contingency planning.
  • Meetings with the vendor to review contract performance.
  • Ongoing testing’s of the vendor’s service capabilities.

Data recovery service providers will play a greater role in the corporation’s information life cycle, as the number and complexity of devices increase to facilitate the flow of information. Board members and C-level executives, in conjunction with senior IT directors, must work together to close the policy and security gap posed by the organization’s need to engage data recovery service providers. The policy must address the internal guidelines and procedures first and then push them down through contractual modifications to all third party vendors who handle the corporation’s sensitive data.