What do you do with computer equipment marked for disposal, repurposing or donation? Cybersecurity experts say such equipment can be a major security threat when data on it is not handled properly. Malicious actors can easily extract useful data from old hard drives, USB sticks, card readers, and even mobile phones. This data presents a vulnerability at the organization level, e.g., risks of intellectual property theft. It also presents risks to individuals, e.g., identity theft. Data destruction has become a key function in data security.
Data Destruction Meaning
Data destruction is the process of making stored data inaccessible and unreadable for unauthorized purposes. This destruction is done using software tools, electromagnetic methods and physical destruction of the storage media.
What kind of data is to be destroyed?
- Customer Data – Most criminals are usually after this type of data because it contains Personally Identifiable Information (PII) like name, address, SSN, and phone numbers. This data is lucrative for identity thieves, who can use it to borrow unauthorized loans, apply for credit cards, buy expensive items and make other unauthorized legal and financial obligations
- Employee data – This is just like customer data, but it will usually have added details relating to work, including employee salary and Protected Health Information needed for health insurance. This data can be stolen for identity theft as well as blackmail
- Corporate data – This is any data that a company would not want to be in the public domain. This could be intellectual property, internal emails, audit reports, and operational information. This data is attractive to malicious actors who can sell it to the competition and engage in further damage like Business email compromise schemes.
The Danger of Forensic Recovery Tools
Advanced forensic tools have become very powerful. They can extract data even after formatting a drive. They are also easily available and have become more user friendly. Anyone with some familiarity with computers can apply them.
Most people assume that a complete format is secure. Worse still is simple data deletion. Much of the data remains accessible after emptying the Recycle Bin. That is why secure data deletion goes beyond these simple methods.
Secure data destruction includes verification of the destruction of that data. It is not enough to assume that data on a hard disk is destroyed because a hard drive has been shredded. Modern solid-state drives pack data very densely such that it is possible to recover some data from shredded pieces.
Secure data destruction involves data sanitization, which is verifying that data has been truly destroyed. This is important when the equipment is needed to remain functional, for example, when donating equipment or recycling it for another division.
What are the Methods of Data Destruction?
There are three main ways of data destruction, each with its advantages and disadvantages;
Overwriting files on with new files makes them inaccessible. This method uses a series of characters to overwrite the old files. Complex overwriting uses several passes to make it harder to get to the data underneath. The NSA standard recommends 35 passes for sensitive files.
More secure data destruction methods deploy cryptographic overwrite on top of making the necessary passes. This method uses encrypted characters such that the data cannot be deciphered making it impossible to get to what is underneath.
Advantages of overwriting
- This method of data destruction leaves the storage media intact. It is useful when dealing with equipment that is meant for recycling, repurposing, or donating.
- It is cost-effective because the hardware remains intact
- Overwriting is a green method. The equipment is reused instead of being dumped in landfills or other unsafe disposal methods
Disadvantages of overwriting
- It is a very slow method for destroying data on huge drives with repeated passes
- Some overwriting tools are unable to get to data in locked partitions, which can still be extracted
- Overwriting is only possible for writable data storage media. It does not work on damaged drives
Degaussing uses a high-powered magnetic field to make permanent changes to a drive’s electromagnetic fields, destroying the data in the process. Degaussed storage media is permanently damaged.
Advantages of degaussing
- It is a fast method of secure data destruction. It is possible to wipe a high-capacity drive in a few minutes
- It does not require special software tools. Operating a degausser is relatively simple. It only requires to put the drive in the degausser and switch on the machine. No special skills are required
Disadvantages of degaussing
- It is not cost-effective since it leaves the storage media unusable
- A degausser can damage nearby electronic equipment
- It is not a clean method because the unusable equipment has to be disposed
Physical data destruction destroys the storage media such that it becomes impossible to use data recovery tools on the drive. Physical data destruction methods include;
Special crushing equipment is used to deform the storage media. The drive may be broken in the process.
Data storage media is destroyed by cutting it up into small pieces. The pieces left are less than 2 inches. Professional data destruction services deploy this method because it requires specialist equipment.
This is the ultimate secure data destruction method. Data storage media is destroyed using very high-temperature furnaces. The metallic parts melt, while the plastic parts are burnt to ashes. There is no way of recovering data storage destroyed in this way.
Advantages of Physical Destruction
- It is the most secure data destruction method when the chain of custody is enforced. Data storage that has been physically destroyed cannot be subjected to forensic recovery
- Large amounts of data storage can be handled at once. A crusher or shredder will handle tens of drives in a short time
Disadvantages of Physical Destruction
- Data storage to be destroyed leaves the custody of the organization and is handled by external parties, which may present a bit of security threat
- Specialist equipment is needed which leaves organizations needing this service to rely on professional data destruction services
- It leaves residual waste that has to be disposed of correctly
Secure data destruction is no longer an option, but a requirement by privacy laws. Ensuring data is destroyed eliminates the serious vulnerability by preventing unauthorized access to valuable data and information.