How customer/citizen data is processed and used is a highly regulated subject in many parts of the world. The GDPR is perhaps the most prominent and well-known example of data protection and digital privacy legislation. It has forced companies and governments the world over to treat citizen/customer data with the highest degree of sanctity.
In this blog, we cover:
1. Traditional data destruction techniques
2. Home Office 2.0
3. The most viable new data sanitisation methods
4. Remote Erasure
5. A Case Study from India
In India, hitherto, data protection hasn’t been given the kind of significance it deserves. While a lot of organisations do have policies in place for data regulation, protection and sanitisation, many of them lack proper processes to verify that data hygiene is being properly maintained. However, the advent of the impending Data Protection Bill is likely to alter all of that as it gets ready to be tabled in next year’s Budget Session and is likely to propose a penalty of up to Rs 15 crore and up to a three-year jail term for company executives violating privacy norms.
Stringent measures such as these leave companies and executives with no scope for excuses when it comes to data hygiene and data erasure or sanitisation forms a huge part of this process.
Keeping this in mind, Cyber Management Alliance recently invited one of the leading companies that specialises in data erasure to a webinar on its BrightTALK Channel. The primary objective behind the webinar was to educate India Inc on the importance of data end-of-life, and making corporate data unreadable and minimising data leaks.
Fredrik Forslund from Blancco, a leading global provider of secure data erasure solutions and device diagnostics for more than 20 years, joined Amar Singh, Founder and CEO of Cyber Management Alliance to highlight the importance of proper, software-based data destruction.
The two data privacy experts begin the discussion by harking back to how data destruction worked in the days when advanced software solutions like those of Blancco were not available. Amar recounts an incident from when he was working as a CISO many years ago. A rep from the company that was responsible for destruction of hard drives came by to his place of work and dropped off 50 hard disks. It was then discovered that those hard disks belonged to a completely different organisation and were erroneously dropped off at Amar’s office by the hardware destruction company. The hard drives had not been destroyed properly so the data was still readable, and the best part was that the vendor didn’t even know that they had committed this blunder.
The reason Amar was so intrigued by Blancco’s model, he explains, is because it takes away the middleman from the equation – the one responsible for collecting and dropping off the hard drives who can make such mistakes. Also, with Blancco’s data erasure capabilities data destruction can take place remotely and can be audited with a tight grip, ensuring that the data has actually been 100% sanitised with no scope for human error.
The duo, then, delve into how home offices used to look before COVID-19 swept across the world. People did work from airports, cafes, restaurants, their homes and anywhere that it was important to be at. Yet, the main place to work at was still on-prem. In 2020, this reality has changed diametrically thanks to COVID-19.
Everyone is now working in fully-fitted home offices and processing very sensitive information in these new workplaces. Companies, therefore, need to have proper asset management routines and processes in place. The challenge of managing infrastructure is clear: it is now about managing and replacing hard drives in 1000s of home offices across the globe instead of a few locations on-prem. This has opened up a massive new need for innovation which has already started taking place rapidly over the last six months.
As Amar puts it, “People have been forced into urgent digital transformation. But there is no excuse for any organisation to expose data.”
After underlining how data sanitisation has become a core C-Level requirement today, Fredrick goes on to elucidate the most effective data destruction methods that companies today can employ. While physical destruction continues to be an option, he highlights how unsustainable and harmful to the environment it can be. Therefore, it should only be employed in cases where the storage devices have been physically damaged, rendering them unfit for software-based sanitisation.
Where this is not the case, software-based methods that are backed up by water-tight verification processes should be used. The whole industry is moving towards auditability and therefore being able to audit data destruction has become imperative today.
For more information on ‘Misconceptions about physical destruction of data’ tune in to the webinar at 18:52
To know what can be done in terms of data hygiene using software technology today, refer to Blancco’s summary slide available at 29:35 of the webinar
Thanks to the pandemic era, there is a massive demand for remote erasure capabilities today. Companies want to target laptops that are in home offices and want to remotely target 1000s of servers as well. One level of innovation, then, explains Fredrik is the process enhancement – how to carry out automated, scalable remote erasure. For example, Blancco conducted one such erasure for a multinational software applications company where it decommissioned 4,000 servers overnight in under 10 hours.
Another interesting innovation that has occurred is the integration of sanitisation into existing management tools. This helps the organisation show due diligence and to demonstrate that they’re on top of threats, instead of just reacting to them. In case of a security incident, this helps immensely as the investigator is only interested in knowing how the organisation prepared, what kind of best practices did they have in place and whether they had done their due diligence or not. This kind of integration addresses the latest challenge of cybersecurity in a highly regulated world – the challenge of moving from ‘nice to have’ to ‘need to have’ when it comes to data security and sanitisation.
In view of the burgeoning importance of making data unreadable, a global banking giant recently reached out to Blancco in India. The bank wanted Blancco to standardise data sanitisation processes across all its locations and for all types of IT assets. After evaluating its processes and gauging what the low hanging fruits were, Blancco defined role-based access control for the organisation that matched the corporate hierarchies and optimised processes for minimal manual dependency. With Blancco, the bank now witnesses 75,000 erasures per annum and enjoys software integration with its Active Directory, ServiceNow and Splunk.
The key takeaway then is that organisations in India are fast recognising the need to streamline and clean up their data destruction strategies. While there is still a massive gap in awareness when it comes to data sanitisation, this gap will be quickly filled as the Data Protection Bill inches towards becoming a reality and the relevance of software-based remote data erasures becomes more and more apparent as the pandemic unfolds a new way of working for all of us.
Founded in 2015 and headquartered in London UK, Cyber Management Alliance Ltd. is a recognised independent world leader in Cyber Incident & Crisis Management consultancy and training. The organisation is renowned globally as the creator of the flagship Cyber Incident Planning and Response course certified by the UK Government’s National Cyber Security Centre.
Cyber Management Alliance has serviced over 300 enterprise clients in multiple verticals including government, banking, finance, IT, consultancies, healthcare, oil & gas and retail across 38 countries. It has carved a niche by assessing, building and improving its clients’ Cyber Incident & Crisis Management capabilities through training, tabletop exercises, health checks and audits. Today, Cyber Management Alliance has a global and diverse network of over 80,000 cyber executives and practitioners worldwide.