Even with widespread awareness of data storage and data deletion practices, the numbers from a recent Kroll Ontrack survey are eye-opening. The information management firm found that of the 49% of businesses that are systematically deploying a data erasure method, 75% don’t delete data securely, leaving them susceptible to data breaches.

Only 19% of those surveyed use data deletion software and even fewer, 6%, use a degausser to erase media. When asked if and how businesses verify that data has been deleted, 16% noted that they rely on a product or service for confirmation, but 22% simply reboot the drive and look to see if data is still there.

I suppose we can count it as a victory that more and more companies are becoming aware of the necessity of destroying their data – now we just need to get them to do it right.  It’s not enough to just format your drive or use some off the shelf tool that claims to zero wipe your drive.  Professionals have a process that includes quality control.  Your data destruction firm needs to be one that employs forensic recovery techniques to ensure that data is really no longer on the drive, and they need to attempt to recover a minimum of 10% of the drives that are being destroyed (SHAMELESS PLUG: Reclamere attempts recovery on 100% of the drives that we destroy).

Data security isn’t something that you want to take lightly and, while it’s great to recognize that data needs to be destroyed, that’s just not enough.  As with all of your information security practices, the process and controls are just as important as the fact that a process exists.

If you’re concerned about your data destruction process, or any of your other information security processes, your first step is to perform an assessment.  Our free assessment tool is a good way to get started.  It only takes about five minutes, and you’ll get a score of your overall security posture.  If you’re concerned specifically about data destruction, check out our Certified Data Destruction page or Contact Us directly.

There is no single method used to identify and compromise vulnerable targets. Much like rock stars and CEOs, each attacker has a unique style and process. However, some methods are simply more successful than others and thus tend to be used more often.The 2011 Verizon Data Breach Investigations Report found that 50 percent of breaches studied resulted from some form of hacking, 49 percent incorporated malware, 29 percent involved physical attacks, 17 percent resulted from privilege misuse, and 11 percent employed social tactics.

To identify vulnerable hosts, an attacker will begin scanning for a specific set of vulnerabilities known to be exploitable and prevalent in the wild. And, much like security industry professionals discuss best practices, attackers share knowledge about how quickly each finds targets vulnerable to specific attacks.

What this tells me is that, for all of the advanced techniques and tools out there, a large part of ensuring the security of your data is simply employing basic security practices.  The reality is that, just like real life criminals looking to break into your home, the people that are after your data will many times seek out the low hanging fruit.  It’s the same logic behind the people that buy stickers to make it look like they have a home anti-theft system when they really don’t: attackers will likely move on if they deem the target too difficult.  The same is true when it comes to data security, as well.  So making sure that you employ basic security countermeasures can, in many cases, protect from becoming a victim.  That’s not to say that you shouldn’t do more (you obviously should), but rather, it is simply making the case to verify that you’re following basic security best practices.

The first step is obviously to figure out what you are and are not doing right.  Start by taking Reclamere’s Information Security Assessment, which will ask you a handful of questions about your security infrastructure and provide you with a score so you can get an accurate picture of your organization’s security profile.

It appears the EFF is using the information to assess the impact of the Megaupload take-down on users who were storing non-infringing data on Megaupload’s servers. There is no mention of how, when, or if the EFF will be able to get access for users to their orphaned data nor how they plan to approach the issue from a legal standpoint. The reassuring thing is the statement from Carpathia hosting that they have no plans to re-provision the servers where Megaupload data was stored. At least for now, the user data is safe though inaccessible.

Motorola’s fall sale of refurbished Xoom tablets has gone about as wrong as it could possibly have gone.

The company said today that 100 of the 6,200 it sold through Woot.com between October and December of 2011 may not have been properly reformatted.

In other words, they still contained the personal information of their previous owners — everything from email and social networking passwords to photos and documents.

Last Friday, I received two identical emails from LinkedIn contacts informing me about changes in the privacy conditions of LinkedIn. Without user consent, LinkedIn is now allowed to use names and pictures of the users in advertisements. Users can revoke the permission in a simple way (see below). However, what LinkedIn has done raises the question whether the providers of today’s social networks never will learn their privacy lessons.

LinkedIn once again has shown the fundamental misunderstanding of social network providers, that all data therein is their data. However, it is the data of the users, not of the social network. There are some upcoming approaches like personal.com which change that paradigm and give users control over their data. Changing privacy policies in a way like LinkedIn just shows that they probably never will understand this.

Martin correctly identifies that the problem is one of who owns your data, and it is a dilemma that I foresee sticking around for many years to come.  Social networking sites like LinkedIn, Facebook, Twitter, etc. provide great ways for us to connect with other individuals in ways that are meaningful.  The problem is that in order to make those connections meaningful, these sites must collect a great deal of information about each of us – and therein lies the problem.

That data is worth a lot of money and, as the collection agent, social networking sites like LinkedIn feel entitled to use the data that we are providing them with in any way that they see fit – they view it as their data.  Here comes the ‘chicken or the egg’ part, though…we only provide them with the amount of data that we do because of a trust relationship wherein we assume that they understand that it is our data and that they cannot do whatever they want with.

It’s a tricky subject, no matter which side you’re on.  Companies like LinkedIn wouldn’t be in the business that they’re in if there wasn’t money to be made, and then we wouldn’t have these cool ways to connect with other people.  And round and round  we go.

No matter how it all shakes out in the end – the message to the end user is easy: be vigilant with your personal data.  You need to understand the privacy policies of the sites that you belong to and make sure that you’re comfortable with what they plan to do with your data.

Also, as cases like this one with LinkedIn prove, remember that these policies are not written in stone.  They can and do change – in many cases frequently.  Stay on top of the changes and make sure that you’re taking full advantage of privacy controls.

Along with any infringing material, Megaupload servers contained user created data. Family pictures, documents, recipes, and perhaps small business documents were also stored on Megaupload’s servers. It was cloud storage pure and simple.

As the story unfolds, at least some of the storage space was on servers not directly under the control of Megaupload. It resided on third party servers who leased the storage space and bandwidth to Megaupload. And now those bills are coming due. The government has frozen the assets of Megaupload and it’s principals, the URLs to the data no longer work, and no one is paying the bills for this leased capacity.

The migration of critical corporate documents to the cloud hopefully includes a thorough due dilligence study. Things like security controls, data center locations and redundancy, backup and restore terms are often included. Hopefully there is a plan in the event the cloud storage provider goes out of business. But what about a situation where the government pulls the plug? What about individuals or small businesses who may not have thought to look far enough forward?

It is going to be interesting to see if the government intervenes to allow legitimate user’s access to their data that had been stored on Megaupload’s servers or to at least ensure that data is protected. In the meantime there are probably lots of family vacation photos that could end up collateral damage.

I don’t know that there is an easy answer to this particular situation, but it does give food for thought in planning out your cloud storage strategy and underlines again the need for GOOD backup and restore practices. If your data is in anyway important to you, there should be multiple copies in multiple locations. Allowing the only copy of important information to exist on systems under control of others is a recipe for disaster. 

A new study from the Ponemon Institute gives some great guidance from industry professionals that have been victims of a breach that significantly impacted their organization.

Just half of the respondents said their organizations had done all they could to shield customer data, and 56 percent said retaining legal counsel is a priority, followed by analyzing the harm to user data (50 percent). Nearly 65 percent of organizations offered credit monitoring services to their customers affected by the breach, and 73 percent don’t offer credit monitoring or other identity theft tools.

We can also extrapolate some great suggestions for preventing a breach in the first place.  For example, sixty percent of the organizations surveyed did not encrypt customer data…so maybe it’s time to start encrypting your customer data.

The important point is that the more we are able to study the aftermath of data breaches and take lessons learned from others, the more we are able to prepare for the inevitable breach that is going to impact our own organization.

Read the full Ponemon Institute report here.

The first step in ensuring compliance with breach notification laws is knowing whose data you have. That means keeping accurate records of whose data you store, where they live, and where the data resides. Once you understand that, you can identify the laws that apply. Next, you can identify the particular pieces of information that you need to protect and understand the kind of breaches that would require you to notify the victims as well as state authorities.

What you should do with your old computer equipment is actually a very serious question, and it’s something that, unfortunately, many of us don’t spend enough time thinking about.  You can’t just throw that old laptop in the dumpster because you got a fancy new one from your Aunt Sally (if your Aunt Sally actually got you a laptop for Christmas, ask her to adopt me – my aunts buy me socks).

First off, there are environmental concerns.  More importantly, though, there are data security concerns, particularly if you’re talking about replacing your primary computing device.  These devices likely have gigabytes of intimate data about you (and no, I’m not just talking about the web history that shows you spending hours looking for fake nudes of celebrities), and in the wrong hands, this data can be recovered and used against you.

These concerns only become more critical (and complicated) when you extrapolate them out over the enterprise.  It is imperative that businesses implement and follow policies for proper, secure disposal of e-waste – specifically data storage.

Also remember, folks, that not all companies offering data disposal services are created equal.  Make sure that the company that you use has the skills, certifications, and reputation to guarantee secure destruction of your data.  If they don’t guarantee it – they’re not destroying it.

In this day and age, your data is your life.  Make sure that you’re taking care of it properly.

The software informs the user that he or she has all sorts of illicit material on their computer, and that the software is locking the computer down until a “fine” is paid.  If the fine is not paid – the hard drive will supposedly be erased.

Granted, this attack will only be successful on people that are technologically-ignorant enough to believe that child pornography somehow accidentally snuck onto their system, and that law enforcement would send a pop-up instead of showing up at your house and kicking your door in (hint for those that don’t know: it’s the latter).  However, it’s a nice reminder that you can never be too sure when it comes to clicking stuff.

The bad guys on the Internet aren’t dumb – they know that human beings are emotional creatures.  Just as advertisers and politicians do everything possible to elicit an emotional response out of you that will cause to buy their product or candidate, malware writers are fully aware that the best way to get you to click stuff is to generate an emotional response.

“Click here to save the kitties.”

“Click this or go to jail.”

“Click here to see Britney Spears naked.”

Each of these appeals is designed to generate an emotional response that will cause you to click on something.  It’s one of the basics of the sort of ‘hacking’ that is really dangerous – social engineering.  As any security professional will tell you, the biggest threat to your data is probably you.  Install lots of firewalls, anti-virus, intrusion prevention and detection systems, etc.  These are all well and good.  They can also all be subverted with a simple mouse click from a user that just wants to save the planet, save themselves, or save Britney Spears from those constricting clothes.

Stop being so emotional, and you’ll start being a lot safer on the Internet.