Going out of business: An important, but forgotten security precaution

It takes a lot to launch a business in today’s competitive landscape. Unfortunately, not all find success and some end up shutting their doors for good. A company could be going through a merger or acquisition, as is the case with Office Depot, which is in the process of closing up to 400 locations following its 2013 merger with OfficeMax. Of course, there’s another reason -- a company could be facing mounting debts and a decline in sales. That’s what is happening to the once popular fashion retailer American Eagle, which has seen its net income take a huge dip from $400 million in 2008 to $80 million in 2015 and will be closing 150 locations by 2017.

Once any business makes the decision to shut down -- even if it only has one location -- there is one very important, but often forgotten, step that needs to be taken. Data needs to be permanently erased from every single piece of equipment and environment where corporate, customer and employee data are stored.

How should a company that’s going out of business go about doing this? To start, take a full inventory of every single laptop, desktop computer, smartphone, tablet and flash drive being used by your employees and permanently erase all of the data contained on them. Also, make sure data doesn’t walk out the door -- and become susceptible to a data breach -- when employees leave your organization or take their equipment (laptops, flash drives) out of the workplace (and possibly misplace them and all of the data on them).

The next step is to conduct a full audit and assessment of all network servers, logical drives, data centers and cloud storage environments (both in-house and those offsite premises managed by third parties). Once there is an accurate view into all of the types of data being stored and where they reside, it’s time to erase, erase, erase. When I say erase, I don’t mean dragging files to the Recycle Bin, reformatting drives, using a factory reset as the default wipe method for all mobile devices (whether it’s an Android, iOS, Windows or other operating system), or even remote wipe. I mean permanently erase all company, customer and employee data to the point that the information can never be recovered. Ever.

How important is this? Given IDC’s estimation that 65 percent of companies’ IT assets will be offsite in colocation and cloud data centers, I’d say it’s very important and an urgent priority. But I’d also say it’s forgotten, more often than not.

For many companies, shutting down often involves assigning various teams and staff with a long list of tasks and priorities that must be completed by a certain deadline. These tasks typically include settling outstanding accounts/balances, selling off inventory, notifying creditors, terminating the leases for commercial spaces, notifying and paying employees, liquidating business assets, closing business bank accounts, among other tasks.

But even if security measures make it onto this type of 'preparing to close' checklist, permanently erasing data is rarely included. That isn’t necessarily because the company and its executives don’t prioritize data security. It often comes down to a lack of awareness about which data removal methods truly work and proper vetting of data erasure technology solutions.

To understand just how dangerous improper data removal can be when a company goes out of business, let’s look at some commonly used data removal methods and why each puts companies at serious risk of having their data accessed, stolen or leaked long after they’ve shut down.

Deleting Files & Reformatting Drives: Why These Aren’t Good Enough

There’s a lot of confusion about the term 'deletion' when it comes to data. People mistake it for erasing -- but the two are as different as night and day.

When you talk about deleting files from your laptop/computer, it typically entails hitting the 'delete' button, dragging files to the Recycle Bin or reformatting the drive itself. Most people -- and even businesses -- mistakenly use one or all of these methods thinking their information is gone. But it’s not. The data can still be accessed and recovered. And formatting a drive doesn’t actually erase the data for good. It just creates a file table so new data can be written to the volume. But the old data is left intact and recoverable.

Here’s an easy way to understand the difference between insecure deletion and permanent removal.

Supposedly Deleted Files

• Easy & Fast, But Unreliable
• File Recovery Is Possible
• Insecure
• Increases Risk of Data Loss/Leaks
• Uncertified Method
• No Proof of Removal

Permanently Erased Files

• Easy, Fast & Reliable
• File Recovery Is Impossible
• 100% Secure
• Prevents Data Loss/Leaks
• Certified Method
• Proof of Removal

To understand just how dangerous it is if and when companies fail to wipe information properly, let me share some stats from our recent data recovery study. In analyzing 122 pieces of second-hand equipment, we found residual data on 48 percent of the used drives that were resold on eBay, Amazon and Gazelle. Worse yet, we discovered that a previous and unsuccessful deletion attempt had been made on 57 percent of the mobile devices and 75 percent of the drives that contained residual data.

Factory Reset: Why It’s a Big Problem

Last year, researchers from Cambridge University examined 21 Android smartphones to see if data could be recovered after a factory reset was performed. The results were alarming, indicating that up to 500 million Android devices might not fully wipe disk partitions where sensitive data is stored and up to 630 million Android devices may not delete memory cards, where photos and videos are stored.

This type of misunderstanding -- or lack of awareness -- is something I’ve seen first-hand as I’ve purchased hundreds of smartphones to test just how easy, common and dangerous it is when data is improperly and incompletely removed. Almost every time, I’ve found large amounts of 'leftover' data that includes both personally identifiable information and corporate data, such as company emails between employees, CRM information, internal spreadsheets and more.

Addressing the Problem Head-On

So what should your company do if you’re planning to shut down? Once you’ve audited and assessed all of the stored data and where it resides, erase the data permanently by overwriting the data. Warning -- free tools don’t work. You need to use software that will perform the right type of data removal depending on the type of equipment and environment you’re erasing it from. And you need to confirm the total number of overwriting passes that are performed -- each pass signifies a complete overwrite of the drive with all zeros and 1s, or random data. Three passes is considered sufficient by the U.S. Department of Defense’s 'short' specification. The more passes you do, the more reliable it is.

Remember: make sure the data erasure method and solution adheres to legally required overwriting standards, such as HMG Infosec and DoD 5220.22 M. And always -- I repeat always -- ask for proof of erasure in the form of a tamper-proof certificate that cannot be altered after-the-fact.

With major retailers like Walgreens, Sports Authority, and even Walmart planning to close at least 100 stores in the next year or so, this needs to be a top priority.

Photo credit: Fotografiche / Shutterstock

Paul Henry, is IT Security Consultant, Blancco Technology Group