Any cyber security plan is only as good as its weakest part. No matter the solution, implementation, or system at hand, the application of such a system hinges on each part working in tandem with the entire system as a whole. As long as there is data present on the device or server, there is exposure.
Thankfully, introducing a data wiping and destruction service into your data maintenance plan can drastically reduce the threat of data to your secure systems. Let’s look at why data is so dangerous to keep, and what can be done to mitigate this danger.
Why Data is Dangerous
When we discuss data and security, we often refer to insecurity in a system by a few terms. One of these terms is the concept of an “attack surface” - that is, how much of the system is exposed to attack. The difference in attack surfaces is like comparing an archer shooting at a three foot by three foot wall, and the same archer firing at a twenty story skyscraper - it’s clear that, as the attack surface increases, the potential for damage exponentially increases as well.
The problem with data is that with each data point collected, each resource collated and archived, the attack surface increases. Exposure of a single account or data resource is bad, but exposure of millions of resources is just that much worse.
We can’t avoid collecting data, though - for any data-based company, data is the bread and butter of what you do. How we handle this data, then, becomes even more important than in any other application. While we can’t eliminate the attack surface entirely, we can surely mitigate the risk and decrease the potential for loss.
Lessons from the Physical Data World
A good way to starting the process of mitigation is to apply lessons learned from dealing with physical data. Corporations have worked with physical data records for so long that many common policies and solutions have arisen as proven ways to ensure security. While the parallels between physical records and digital records aren’t perfect, these proven solutions should be considered.
When dealing with data, especially data that has legal ramifications attached to their mishandling, the adoption of a retention schedule is paramount. A retention schedule, in its most simple form, is a methodology to establish the legal authority to retain and purge records held by a company. While this sounds pretty simplistic, it’s actually incredibly key to company-wide record keeping, setting the long-term retention and destruction approaches for the company data.
As part of this, a few key elements should form the basis of such a schedule.
Any good data management system has to hinge on the classification of data by like categories. We do this for a few reasons, but the most important of these reasons is for ease of management. Having a well-sorted store of data means that you can run functions on entire classifications of data, rather than on the data itself.
Imagine this as being akin to sorting loose change. While it’s easier to just leave the change in dimes, pennies, etc., by sorting them you can approximate value and take categorical approaches to working with the change. Once sorted, you can choose to take all the quarters, remove all the pennies, etc.
The same is true of data classification. Being able to sort data by the categories they are representative of allows you to take action categorically, shredding older data while preserving newer data, or even filtering by types of data that are covered under certain legal considerations.
Establish Record Durations and Policies
Before we can even talk about dealing with different types of data, however, we need to discuss timeframes of data. While it’s easy to suggest that all data should be kept in perpetuity, the fact is that there are many legal considerations to that type of blanket policy which can make it a damaging one to adopt.
Thus, establishing record durations and policies for marking this duration is paramount. It should also be noted that, just as keeping data too long is a concern, so is not keeping it long enough. Many types of data, especially those in the financial sector, might have a requirement for data collection and archival beyond the typical “shelf-life” of such data. In these cases, there should be a clear demarcation for when data should be shredded or destroyed and how this should be done.
Very important to the concept of a regular data schedule is the idea of constantly reviewing said schedule. What is legally required today or ethically dictated tomorrow is not going to be the same next year. Accordingly, consistent review of your standards and practices is paramount to the security of your data.
This review should scale beyond requirements as well - reconsidering your classifications, how they were designed to function, and whether they’ve worked towards these functions can also be hugely beneficial. This will be incredibly important when it comes to data destruction, as accidental destruction can often create more issues than it solves.
The real bulk of this policy, of course, hinges on data destruction, both within the process of said destruction and in the tools used to process the data. We need a data destruction system that delivers some very important elements in such a way that the process can be tracked, utilized, and implemented with minimal chance of misunderstanding, misconfiguration, or failure to process. We also need a tool that is easy to use, centric on the point by point processing, and is extremely scalable.
Most importantly, we need a solution that is auditable. This is especially important when it comes to dealing with data of a financial, medical, or otherwise important nature, as there are often requirements for data trails when processing such data types. Beyond the legal requirements, being able to audit your process and track the processing of data provides some context towards operational standards and compliance with your data retention schedule.
The key takeaway here is that your cyber security plan, and thereby your data retention schedule, should utilize a powerful data shredding solution whose power is not dependent on complexity of form, but rather completeness of function.
Enter ClaraWipe. ClaraWipe is a data destruction tool that serves its function expertly at the end of the aforementioned data retention schedule. Data is perhaps the single most valuable and the single most dangerous element a modern company will deal with, and as such, properly disposing of this data is extremely important.
ClaraWipe meets all of our main considerations for a powerful toolset. It’s extremely easy to use, requiring no advanced training in order to utilize it. It’s infinitely scalable, offering an on-demand methodology for dealing with all your classifications of data. It’s process based, operating in a variety of patterns and methods to ensure complete destruction.
Most importantly, however, is that ClaraWipe meets or exceeds all major international regulatory and technical standards. This is especially important for providers in the financial, medical, governmental, and other protected industries. ClaraWipe meets standards as wide ranging as HIPAA and HITECH, as well as FACTA and PCI DSS.
Simply put, integrating ClaraWipe into your services and systems can result in greater data security, mitigating the risk on-device data poses.