Photo by Icons 8 Team via Unsplash
Very often in organisations, conversations about cybersecurity take the form of how they can best protect the data they keep. This can be in the form of software, such as firewalls, anti-virus software, machine learning, and AI technology, or in shielding against the human element - tiered access, door passcodes, or awareness training.
The problem lies in the fact few organisations consider data destruction - how to dispose of data safely and responsibly so that it can't be accessed by others after disposal. It is an important part of cybersecurity both for the expectations of customers, clients, and partners that their personal data is safe, and in regard to government regulations.
Data destruction - What it is and what it isn't
In the days before computers and the internet took over the world, data destruction was a much simpler process. An organisation only had to run papers through a shredder, drop the shreds off at a recycling plant, keep a record of what was shredded, and all regulatory compliance was met. This was enough to ensure that data was not lost or picked up by prying eyes and criminals.
Digital storage has made data destruction a more difficult task. While some employees may believe that just deleting files is enough to get rid of the data, this couldn't be further from the truth. The vast majority of drives will just flag the data up for re-writing, so a user on the operating system can't see the files, but the data will be intact on the drive. Data must either be overwritten, cleared electromagnetically, or the drives must be destroyed physically.
This is why making sure that drives are purged of all data correctly before disposing of them is of the utmost importance to an organization. Correct data destruction should be systemized and handled by the data controller of a company to ensure there is a responsible chain of command. Unless the organization has specialist facilities set up in house, they should always use a reputable data destruction company.
What are fool-proof ways of destroying data?
Photo by Taylor Vick via Unsplash
There are a few ways that companies use to destroy data permanently, but there are three main techniques used today.
Degaussing is the most prevalent form of data destruction. A degausser is used to electromagnetically remove the magnetic field a hard disk drive uses to change the bits on a disk platter. This not only scrambles all the data on the drive, but also destroys the servo firmware, rendering the drive completely unusable even if recovered.
Over-writing is another form of destruction. As the name suggests, it consists of over-writing the entire drive with either 0's, 1's or a random scramble of them. This serves the purpose of completely erasing any data on it, and keeping the hard drive usable, so it’s a fantastic option for an organisation to do routine clears on a server without having to source all new hardware.
Physical destruction is the other popular form of data destruction. Again, as the name would suggest, it involves destroying the disk drive with trauma or chemicals in order to render it unusable and unreadable. The problem with this method is that unless it's done properly, a savvy criminal can recover pieces of the hard drive and may be able to still recover data from it. Therefore, it is essential to work with an experienced and reputable company to ensure your data is not compromised.
How does data destruction help an organisation?
Photo by Markus Spiske via Unsplash
An organisation can hold personal data on many people, and if they're in certain industries such as legal or financial, this data can be especially sensitive, so regulations on data storage can be very strong.
The other important thing for organisations to bear in mind, however, is that with competition in the marketplace becoming stronger, some less than moral companies and individuals are on the lookout for sensitive intelligence wherever they can find it to both use and sell. Many businesses only think about keeping their networks and servers secure and protected, but neglect their data destruction methods.
Snoopers are well aware of this vulnerability in companies, so will be on the lookout for hard drives they can get their hands on. This will include drives thrown in the trash, drives being transported, and at times, perhaps a laptop or USB stick left on a train. Systems must be in place to keep a business from losing clients’ personal information and businesses' critical intelligence. This is of the utmost priority for an organisation that doesn't want to be hit by large fines, as well as losing customers due to a data breach.
What needs to be considered when choosing how to destroy data?
The first thing to be considered is the type of hardware a business is using. A record log should be kept of all hardware being used, so when a business needs drives destroyed, the destruction company will know which techniques to use.
The second is to research the reputation of the destruction companies being shortlisted. They should have good testimonials from other businesses for their work, they should offer destruction certification and, if possible, video proof.
Lastly, time; it takes time to organise which drives need to be destroyed and when, transporting them to the destruction facility and then, depending on the method and how many drives there are, it can take different amounts of lead time.
About the Author:
Daniel Santry is US Business Development Executive for Wisetek, who are global leaders in IT Asset Disposition, Data Destruction, & IT Reuse.
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky