By Paul Le Messurier, Programme and Operations Manager at Kroll Ontrack

The definition of insanity was said by Albert Einstein to be ‘doing the same thing over and over again and expecting different results’. When it comes to data management, many home and small businesses continue to make the same mistakes such as not backing up information securely and not protecting systems against viruses – despite all the warnings that have been out there for a number of years.

It means the majority of businesses will be able to see room for improvement, especially since there are a number of new risks that have crept into the equation over the past couple of years. Risks to be aware of include new ways of working, whether that’s storing company data in the cloud or using mobile devices to store and access information on the move.

However, the basic principles of the Data Protection Act have not changed since the Act was introduced in 1998. All businesses holding information about living individuals in electronic format must follow these eight principles, which say that personal information must be:

- Fairly and lawfully processed
- Processed for specified purposes
- Adequate, relevant and not excessive
- Accurate and where necessary kept up to date
- Not kept for longer than is necessary
- Processed in line with the rights of the individual
- Kept secure
- Not transferred to countries outside the European Economic Area unless the information is adequately protected

A new draft of European Data Protection legislation is due to be introduced this year which will harmonise regulatory frameworks across Europe, and will make it even more important for businesses to ensure they are managing data safely and effectively. In short, the time is right to take another look at how information is stored, managed and disposed of within your business.

Keeping data secure

While the type of computer system used by most small businesses does not require a separate, specially cooled data centre, it still helps to store computer equipment in a dry, controlled environment that is clean and dust-free.

Data should always be backed up in case of power failure or other errors. Companies are advised to back up their data at least once a week using reliable tapes or other storage devices, always verifying that the correct data is backed up.

To guard against data loss, companies should always use an uninterruptible power supply (UPS). In the event of a surge of electricity or lightning strike, an uninterruptible power supply protects the computer from becoming damaged. A UPS also has a battery backup that keeps the computer running, allowing you to save the data and avoid data loss. If UPS is not a viable solution, a surge protector is also a good investment.

Computer viruses can create big problems for users and their data. Regular virus scans using software that is updated four times a year are advisable. Good anti-virus software tests systems for sequences of code unique to each known computer virus and eliminates the infecting invader.

In the event of strange noises or grinding sounds, users should turn off their computer immediately and call their data recovery provider. Further operation may damage the hard drive beyond repair.

Recovering lost data when the worst happens

It’s important to remember that data is rarely completely irrecoverable. Professional data recovery services offer the expertise and tools required to recover data quickly and successfully.

When dealing with a data loss scenario where your system has suffered physical damage, time is of the essence. Physical damage can manifest itself in many forms including clicking, grinding, scraping or other strange noises.

If you suspect physical damage, it’s important to stop using the system immediately, switch it off and refrain from interfering with the hard drive or server by shaking it, disassembling it or attempting to clean or dry it. Improper handling can jeopardise the data recovery process. It’s also important not to use data recovery software when there is physical damage since this may destroy what would otherwise be recoverable data.

If a server or personal computer has overheated, or is fire-damaged, it’s important to let it cool down naturally rather than putting it in a fridge or freezer to cool and to ship the entire computer for recovery.

Conversely, if the hardware is damaged by water, it’s never a good idea to try to dry it using heat (think of corrosion). Instead, it’s better to place the media in a container that will keep it damp before shipping to a data recovery expert.

Finally, it’s vital to remember that physical damage, no matter what the cause, requires clean room attention.

When damage is not physical and is caused by user or software error, users may see messages such as "No OS found", "Corrupt Volume" or may simply be missing files and folders. In this case it’s still important to shut the computer down immediately as the longer a damaged hard drive is left running, the more data can be irretrievably lost.

Ensuring data is disposed of safely and permanently

One of the principles of the Data Protection Act is not to keep data longer than is necessary, while individuals also have the right to request and have deleted information that is no longer accurate or necessary. The challenge is that deleting a record does not mean that the data is lost permanently and can be restored with the right software tools and expertise.

Safe disposal is also relevant when you are getting rid of old kit (including smartphones and tablets). Selling/donating old computers and mobiles to third parties carries its own risks, because information that you thought was deleted may still be available. Personal information or critical business data including the Internet browser's cache, cookies, history; email contacts and messages; documents; recycle or trash folders; and all non-transferable software may still reside on your machine’s hard drive.

Just formatting a hard drive doesn’t wipe information from it. Instead it just removes an existing file system and generates a new one. Smashing a drive up, plunging it in water or even setting it on fire is no guarantee that data will be deleted either.

Simply snapping a hard drive in half isn’t a suitable technique for permanently erasing end-of-life data. If a company goes down the physical destruction route, it should ensure that the media is shattered into as many pieces as possible – most professionals would recommend using a specialist hard drive shredder.

The second way to render data irrecoverable from retired hard drives and other magnetic media is to use a modern degausser which is basically a box that generates a powerful magnetic field, throwing the drive’s existing magnetic domains into disorder.

Whilst a powerful and quick option, degaussing can’t delete data from a flash storage device and also renders hard drives unusable, so it’s not an ideal solution for companies looking to recycle or sell their hardware.

Whether a sole operator or a growing business, all commercial organisations have a legal duty to look after their data. They also face reputational and financial risks from not safeguarding their critical data. The time is now to take a good long look at current data management, back-up and destruction policies.