We’ve written about numerous laptop thefts that have highlighted poor corporate security practices and privacy protection in recent months.  However, while many companies continue to struggle with how to secure the data on laptops they may be overlooking another a source of potentially serious data leaks – remote employees – those employees who work at home often using their own PCs.

A recent article in the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites often still have enough information on them to make identity thieves very successful.  The twist on this Irish tale is that some of these drives have been being traced back to employees who work at home on their personal computers.  Certainly data encryption software would help prevent such leaks but this brings us to the tricky area of what a company can and cannot dictate an employee to do on their own home computer.

Many of us are still suffering from not being able to smoke in the local pub due to second hand smoke and now we have to deal with the ills of second hand hard drive sales.  The Dublin office of Ernst & Young revealed that their research has shown that used drives bought for a couple of Euro (and not too many dollars or pounds if that’s your currency of choice) have been found to contain extremely sensitive information such as bank account details, confidential e-mail and more.

While many, but not all businesses, have gotten smart about hard drive disposal – many consumers just sell off or donate their PCs.  In many parts of the world new laws on recycling of equipment is leading to more of the equipment being turned in during recycling drives.  Most recyclers offer the best of the equipment for resale before actually destroying/recycling the equipment – it’s more about reusing than just recycling.

Some consumers don’t even erase all their files since they are assuming that the PC is destined for the dump and the furnace.  Even on those drives where the data was erased or even reformatted – it’s still easy to relatively easy to retrieve the data.  Erasing and reformatting are far less than most folks realize.  Imagine you have a book with an index. You want to delete the story on pages 56-60.  Following the PC model, erasing the data simply erases the entry in the index.  Pages 56-60 still exist – it’s just that the index doesn’t know about them.  A variety of utilities can quickly help to recover this data – even if it is deleted and often times even if the hard drive is reformatted.

There are industrial strength programs that will not just delete the file, but will write over the existing data with new data.  Run a utility like this once or even twice and the old data–the sensitive e-mails, bank account numbers, etc.–will no longer be recoverable.

But with these remote workers the data is on their home PC.  Companies have three simple choices:

• Put their secure data at risk and let employees use home PCs to connect to the corporate network
• Only allow secure data to be used on company owned PCs and train employees not to use Flash drives or email to transfer secure files to their home computers
• Purchase encryption software that employees have to place on any personal/home PCs that will connect to the corporate network.  Hosted solutions like Alertsec can make this both inexpensive and easy to support.

The issues are out there.  IT managers can face up to it as noted above or just pull the ostrich approach and bury their heads in the proverbial sand while confidential data is put at risk.