Recovery firms may steal your data

There's a red flag going up for IT executives who need their computers fixed. While plenty of organizations have an in-house IT shop to handle repairs, many smaller companies do not, and they rely on a vendor to fix a repair. But there is plenty of evidence that they may be doing so at their own peril.

It's no longer okay to just send computers out to any repair service. A new survey finds that data-recovery services are responsible for a growing chunk of privacy breach incidents. It's not really a surprise. An outside vendor contracted to repair your computer may not have the security mechanisms in place to prevent a theft. Or the company may have IT workers willing to dip into the database for their own purposes.

The Ponemon Institute surveyed 636 information technology professionals who had used data-recovery services or knew about them. Nearly 20 percent responded that they experienced a data breach when they hired a third-party data-recovery firm.

"A lot of organizations are focused on firewalls or perimeter controls and ignoring simple issues like these," says Larry Ponemon, the group's chief executive. "You're handing over your company's crown jewels to a stranger, often without assessing what security controls are in place to reduce the risks."

Security should be the Number 1 concern for IT executives seeking data recovery services, according to Ponemon. But only 22 percent of respondents said they felt their data-recovery service was "secure."

Nearly half of the respondents said their IT security staff is involved in choosing a data recovery firm. But the same number said they don't have a company policy in choosing a data recovery firm.

"Companies are trusting their data to third parties without a lot of vetting," Ponemon says. "These are people who could be incompetent or even criminal. The risk is very real."

For more on data recovery companies:
- see this Forbes magazine article

Related Article:
The 10 most terrifying IT debacles of 2009