Light Dark
August 17, 2020 By Mike Elgan 3 min read
Data Protection
Risk Management

Data security means keeping data out of the wrong hands. This is especially important when storage media is no longer usable and needs to be decommissioned. The data must be truly destroyed, for both security and compliance. 

The trouble is ‘deleting’ data doesn’t really delete data. It’s still possible to extract data from a device that has been deleted, re-formatted and even damaged physically. The highest form of data destruction makes it unreadable on the device, then destroys the device. But, how do you make data truly unreadable? 

What is Data Destruction? 

The amount of data enterprises manage and secure is growing fast. The problem also grows because of procrastination born of cheap storage and overworked staff. This is bad security and bad compliance. 

Forget deleting and reformatting. Deleting merely frees up the space taken by the deleted files for use by other data. The ‘deleted’ files can be easily recovered until those spaces are overwritten. Reformatting simply deletes the entire drive or partition. Overwriting, or wiping, replaces old data with new, arbitrary data. And, it’s better than deleting. But, it might miss some data. 

The best method for making data unreadable is degaussing, which exposes magnetic storage devices (hard drives, magnetic tape, floppy disks, etc.) to a high-intensity magnetic field of alternating amplitude. Degaussing not only erases data, but also destroys the device. 

Degaussing creates two problems. First, it’s not effective for solid state drives (SSDs). Second, degaussing is unverifiable. Because the drive is ruined, the deletion of data cannot be confirmed.  Additionally, wiping could be incomplete, and degaussing can’t be verified.

Good data deletion calls for destruction. 

Let’s Get Physical

The best general practice for end-of-life data destruction calls for degaussing magnetic media, wiping solid state media and physically destroying each with the appropriate shredder. 

Many companies use the same process for destroying hard drives and SSDs. This is a mistake. Degaussing doesn’t work on SSDs. Do not rely on hard disk shredders, which can leave SSD chips readable. National Security Agency (NSA) internal policy demands SSD bits to be reduced to 2 mm or less.

Time For a New Data Destruction Policy

Every organization needs a clear decommissioning policy. The policy should be carried out by someone experienced in end-of-life decommissioning of digital assets and should not be foisted on already over-tasked IT generalists.

If any of this work is outsourced to an information technology asset disposition (ITAD) service, it’s important to thoroughly vet whomever is involved in the chain of custody. In-house or outsourced, your decommissioning policy should prescribe the following: 

  • Detailed IT asset inventory
  • Thorough logging of the entire decommissioning process
  • A comprehensive backup of stored data
  • A process of disconnection of the device — subnets, firewalls, networks and power
  • Degaussing of all magnetic media
  • Wiping of all solid state media
  • Physical destruction of all media
  • Recorded proof of the destruction
  • Requirements for cloud providers and their data destruction policies
  • Responsible recycling of destroyed storage media materials

Crush… but Verify

Know the regulations relevant to you, such as Europe’s General Data Protection Regulation (GDPR), California’s California Consumer Protection Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the NSA’s rules. These policies around the handling of classified data and other regulations mandate true data destruction policies and practices for consumer, financial or government data. And, the fines are hefty. 

The deep end of the data destruction pool is data sanitization, which combines absolute and irrevocable destruction of data and tamper-proof verification. Highly regulated industries require sanitization and this work has to be carried out by experienced specialists. 

But whatever your process and whoever does it, the end result should include certificates of sanitization, documentation of a clear audit trail and satisfaction of regulatory compliance in writing.

In a nutshell, fully destroy data on decommissioned media for security, and verify it all for compliance. 

 |  |  | 
Mike Elgan

More from Data Protection
December 20, 2024

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

December 3, 2024

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature