"Data-Safe"

Recently I have heard the term "data-safe" from a number of sources and companies with regard to residual data security.  It started me reminiscing about the first time I heard the term used.  Now; I am not claiming to be the first to use it or to have invented it in this context however it is a term I have promoted.

I first heard the term in about 1995 when the then Operations Manager at TAM used it in a meeting.  Derek Wood was ex-military.  He made a really important point.  The control of data was similar to the control of munitions in the Army and with the business equivalent of a huge explosion should it ever go wrong.  

The military use terms such as "make safe" and they confirm a device is safe habitually before it is passed from one person to another.  This chain of custody is also used in the control of data.  The metaphor is a strong one and this is perhaps why the term has spread and stuck.

The explosive consequences of a data loss or data breach are huge but well publicised not least of which on this blog. It could be considered an explosion.  A damaged brand, a compromised database, a million customers to notify all would be explosions in the world of most CTO's.

Would we carelessly discard an explosive device?   They have a habit of sitting undiscovered for years at a time waiting to be made-safe or possibly to explode, the only difference being luck. Perhaps we should treat all data with the same consideration of consequences that the army use for munitions. Or await a big bang.

A Gateway in to our Private and Professional Lives

A change to our perception of data is long overdue.  We all know the volume of data is rising exponentially.  We see the value of large scale data processing happening in the data centre. As users we take for granted the huge amount of information available to us however we chose to ignore our side of this bargain.

Users keep their head in the sand with regard to their personal data.  We don’t think about what we put on our smart phones, tablets or personal computers.  Smart phones, tablets and personal computers hold a snap-shot of our lives and they hold ever increasing level of detail.  Smart phones, tablets and PC’s become a gateway in to our work and personal lives.

Take my iPhone as an example.  I take some care of it and I work in the industry so you would imagine my data is pretty safe.  I have both my personal and work data on this device and of course my contacts and their details.  A quick scan suggests about 1400 contact details.

Now let’s imagine the impact of me losing it.  I’d buy another one and I’d recover my data from The Cloud.  Great!  I am back up and running.  What might happen should I fail to change any of my email passwords, iCloud account and potentially a whole lot more?  That phone in the wrong hands is a gateway in to my most precious world. Most people haven't considered the risk.

Mr Smith who now has my phone is a pretty smart man.  He plugs the phone in to a PC and analyses the data shared between the two devices.  If he’s smart getting round my access code is quite simple.  In about 5 minutes he’s reading my live email stream.  I’ve done the PC equivalent of forgetting to change my locks after a break in/security breach.

A “fixer” who was buying smart phones from a market in Lagos, Nigeria once told an investigative journalist friend of mine that there were two prices – one for phones with data and one for phones without.  The model and condition where less important.  I’ve now been told the same is true of hard disk drives.  The reasons for this are obvious.

So thousands of us could be sitting in blissful ignorance as our private emails are mined for data which could be used to blackmail us, to steal our identity or for information which can then be sold on to others to do with what they will at any point in time.  Much data doesn’t lose its value.  A Social Security number, date of birth and mother’s maiden name doesn’t change.  Dates such as birthdays, anniversaries etc. don’t change.

Users seem to assume that the data on a device is equally obsolete as the device they are changing.  We change devices sometimes every few years and we more often than not, throw away our data on the chance that Mr Smith won’t get hold of it.

Personal information can also be used for social engineering.  It can be used to make a fraud or crime seem completely credible.  For example; say I have a hobby, perhaps basket weaving. Mr Smith can easily gain the trust of family and friends just by knowing this tiny piece of information.  Add to that some dates and times of events and it would be easy to socially engineer somebody’s trust.

We love what so called smart devices do for us and our lives but we fundamentally fail to understand the risks of discarding the data.  I sometimes wonder if we are smart enough for the smart devices we crave for.

Jon Godfrey is a Director of Intelligent Lifecycle Solutions who provide services including the refurbishment and recycling of Hard Disk Drives, Mobile Devices and technology equipment.

http://www.lifecyclesolutions.net