Every day the media publishes stories about companies whose data resources are hacked, resulting in loss or theft of private, corporate and personal data. While many of these incidents involve people using online computer devices with all sorts of security technology, hardware, software and processes in place, they also involve organizations and municipalities whose hardware assets were retired, but not properly processed, i.e., sanitized, destroyed or disposed of.
How is this possible today? This can happen when the vendors or employees in which the company places its trust are not qualified to handle such an important task. The key to understanding this issue comes from asking your vendors the right questions.
Inform Yourself
There are basically two methods for destroying data: erasing the data from the device or physically destroying the device. Here are what you need to consider.
Option 1: Erasure. Numerous websites and vendors sell “data erasure software and services”. Some even offer “free” or “shareware” data erasure software. These promise to eradicate data from the associated hard disk drives (HDD), Solid State Drives (SSD), tablets, smartphones, etc. Data erasure is also referred to as “data clearing”, “data wiping”, “data sanitization” and “data destruction.”
This solution option uses software to overwrite the data with 1s and 0s with the purpose of destroying all electronic data residing on the digital media. But is this method 100% effective? Can you rely on a technician at your company to manually perform this task successfully as the volume of end-of-life devices increases? Also ask yourself, if a breach occurs, do you have the appropriate documentation to defend yourself and your employer?
According to Security Boulevard, New research has discovered that “globally, organizations’ overconfidence in their data sanitization methods makes them more vulnerable to a data breach: …36% reported relying on inappropriate data removal methods—using data wiping methods such as formatting, overwriting, using free software tools or paid software-based tools without certification or physical destruction (both degaussing and shredding) with no audit trail.”
Option 2: Physical Destruction. Consumers and businesses are accustomed to shredding paper to destroy data. More recently, however, there are increasing options to “shred” your disk drives as an alternative method for data destruction. However, this service is not considered a particularly “green” option because the destroyed HDDs cannot be reused. Consumers and businesses need to weigh the pros and cons along with the cost considerations. Destroying hard drives can sometimes be more costly than erasure methods.
The vendor who is selling services to dispose of your IT assets must not only understand your data destruction requirements but also be an expert in the solution technologies to achieve those objectives. Ask your vendor about what certifications they have. Are they NAID AAA Certified (National Association for Information Destruction)? NAID is the standard-setting body that advocates for the best practices in secure destruction.
IT Asset Disposition (ITAD) experts are supposed to have the knowledge and experience in industry standards and best practices for IT lifecycle management. This involves continually updating their processes and certifications for limiting customer data liability. Your vendor should be capable of explaining the pros and cons of the different destruction options for disposing of your hardware and the associated costs.
Here are a few key questions you should ask your vendor about data destruction solutions.
Q: Can I perform the data destruction myself?
Consumers and companies who feel compelled to do the erasure themselves should first consider the necessary documentation for satisfying compliance requirements. This requires understanding the rules and taking the time to appropriately document each erasure. Doing it yourself may appear to “save a buck” but also opens the door to increased risk and expense.
The risks also apply to performing your own physical shredding. Examples of individuals performing their own low-cost and non-secure physical destruction options include drilling holes in hard drives, actually shooting them with bullets, slamming them with hammers/sledgehammers, dunking them in water, and other “homemade” solutions. Each of these options “disables” the drive but does not completely remove the data. As a result, many forensics experts would claim that data is still recoverable from these homegrown methods.
Q: Should I be cautious of low-cost data erasure solutions?
A: Low-cost solutions may not include certifications that meet the strictest standards. As a result, they often have higher failure rates on systems they process. Ideally, the erasure process should:
- Allow for selection of a specified and recognized standard, based on your unique needs
- Support erasure of the type and number of devices being erased, and
- Provide verification that the overwriting method has been successful and has removed data across the entire device.
Q: Does the solution meet my compliance needs?
A: Verify that the vendor’s recommended solution meets your specific compliance requirements (e.g., Sarbanes-Oxley, PCI, HIPAA, HiTECH, NIST standards) and provides the related audit trails and reports you will need to retain or submit to regulatory authorities.
Q: Does the solution help us save costs by improving our process?
A: The best solution should provide cost-effective performance that meets your business data risk and compliance objectives and your device end-of-life goals. This requires both industry and technical acumen from your advisor. It also requires process automation that removes the manual reporting and processing.
Q: How long should a disk wipe take to complete?
A: A comprehensive erasure tool should securely overwrite any device at 30-40 GB per minute. New flash media and encryption removal technology can make this process even faster. Be aware that low-cost tools may lack the appropriate drivers and ATA commands to efficiently erase your device.
Q: How many times should an ITAD wipe a computer?
A: According to Bernard Le Gargean, Product Manager of Blancco Drive Eraser, “One pass is enough. However, to ensure the overwriting process has been effective, major agencies and government bodies worldwide (NIST 800-88, NCSC, BSI and others) state that the verification of data erasure is mandatory for full compliance with their standards. Other research supports this idea.”
Q: How should I verify erasures?
A: Your vendor and solution should consistently check drive wipe results to verify that data erasure tools are functioning properly.
Q: How long should I store audit reports?
A: Store audit reports a minimum of 7 years or as required by your policy advisors or government regulators.
Q: What if I don’t have the time or manpower for this?
A: Work with a trusted and certified advisor.
Castaway Technologies believes you should be as informed as possible about the latest best practices for safely and securely mitigating risks involved with the turnover of data-bearing IT assets. This will allow you to focus on what really matters – running your business.
While most companies focus on the initial phases of the IT lifecycle, Castaway is the premier ITAD specialist that works with businesses and organizations to streamline the end of their IT lifecycle processes. Recently, Castaway was granted AAA Certification by NAID®, a division of the International Secure Information Governance and Management Association™ (i-SIGMA™). These organizations set the standards for best practices in the Information Destruction and ITAD (IT Asset Disposition) industries.
Q: So finally, what is the ideal data destruction solution?
A: The perfect solution would include either an onsite or full chain of custody program that would include software sanitization with documentation, followed by physical destruction. This may be cost-prohibitive, so consumers/businesses need to weigh all their options. This provides all the more reason to contact a NAID AAA Certified ITAD company like Castaway to discuss options and generate a customized program that fits a budget while meeting/exceeding requirements/compliance.
For further information concerning your company’s data destruction needs, contact one of our qualified ITAD professionals at (978) 208-4730.
