Destruction and disposal of sensitive data

Nothing short of grinding your physically-stored data into granola dust for scrap-yard-hungry robots will do. Only physical drive destruction will offer definitive disposal of sensitive data for those unwanted, damaged or dated devices. Data destruction is the process of destroying data stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorised purposes. Everything from USB flash drives, solid state drives, traditional hard drives, CD’s, DVD’s and any other read and write cards found in phones and cameras like SD, XD or CF. Anyone who works with sensitive data understands the importance of protecting one’s clients and oneself. Even though the use of paper is still perhaps frighteningly popular, the 21st century has seen a massive migration of information to the hard drive. With that move comes the need for efficient and foolproof disposal of sensitive data and hard drive destruction. Here’s a look at both… Digital Removal – Wiping Data first Like a surgeon going into the operating room, a good wash and clean is necessary before getting to the hardware. Here’s how to wipe the three most commonly used devices if and before you want to physically destroy them for good… Hard drives Traditional spindle-based hard drives are magnetic storage devices and simply deleting a file does not remove it from the drive, it simply removes the pointer to the file. Files need to be overwritten repeatedly to ensure they are practically unrecoverable. There are various software options available that can securely delete files from hard drives. For example, AxCrypt, Eraser and WipeFile are free open source file and folder shredding utilities. Programs such as PGP Shredder, BCWipe and DeleteOnClick are examples of proprietary based file and folder shredding utilities. Solid-State hard drives and USB flash drives Solid-state hard disks (SSD) and USB flash drives (memory sticks) use a different technology to traditional spindle based hard drives. Therefore, the techniques for securely erasing files mentioned above cannot be relied upon. To erase SSD drives use the manufacturer’s delete utilities e.g. Corsair SSD Toolbox, SanDisk SSD Toolbox, Intel Solid State Toolbox, Samsung Magician Software. For other makes refer to the manufacturer’s website. Securely erasing a USB flash drive is a complex procedure which involves formatting the drive and encrypting it with a 50 character passphrase using PGP, VeraCrypt, or FileVault2 (Mac). Paper and optical discs Shredders certified to an appropriate security level should be used for destroying paper and CD/DVD discs. The German Institute for Standardisation (DIN) has standardised levels of destruction for paper and discs that have been adopted by the shredding industry. The UK government requires a minimum standard of DIN 4 for its material, which ensures cross-cut particles of at least 2 x 15mm. Physical destruction – It’s Permanent Like paper shredders before them, hard drive shredders are now a necessary facet of many offices. That’s right, we’re talking about a device which literally shreds and crushes unwanted hard drives into unusable bits of electronic scrap. Unfortunately most businesses don’t know the protocol for correct hard drive destruction for disposal of sensitive data. Here are four common mistakes to avoid when considering a hard drive shredding…

1. Not Using a Hard Drive Shredder

While not technically a mistake, if you don’t use a hard drive shredder you are missing out on quite a few benefits. Many businesses are content to have an employee smash old hard drives with a hammer, thinking that will be enough to destroy any data. Sadly, this is not the case. Even after wiping a hard drive, recovering data from one is surprisingly easy for a would-be data thief. While it’s tempting to avoid the investment and just take a DIY approach, any business looking to be HIPAA, FACTA, or GDPR compliant needs to avoid this temptation like the plague.

1. Not Getting The Right Shredder For The Job

Like with anything, you have to have the right tools for the job. There are a variety of different shredders, from massive industrial shredders to shredders for an office setting. It’s very likely you fall into the latter category. For those purposes, you should have a shredder that can handle everything from USB to solid state drives. Whatever your needs, make sure you’re doing the necessary research and getting the shredder you really need.

1. Not Wiping Data First

Truthfully, there will be an extremely small chance of anything surviving the process of shredding, but one can never be too safe. Human and technical errors happen. It’s just a fact of life. To ensure the highest degree of security, make sure you’re wiping your devices before shredding them, even if it seems silly or redundant at first glance.

1. Not Following Proper Protocols

As can be expected with something as sensitive as personal data, there are stringent protocols in place to ensure data is properly disposed of. Depending on what your business specialises in, where you’re located, etc., there might be different rules to follow. Make sure to familiarise yourself with them. Also, make sure you’re not shredding your hard drives too early. Certain data has to be retained for a specific period of time before it can be disposed of. Furthermore, don’t stockpile devices and hard drives to be shredded at a later date. Data disposal needs to be done in a timely fashion. Not doing this potentially makes a data thief’s job much easier than it should be. Cyber Stealth empowers cyber heroes with world-class security awareness training and simulated phishing.

It's Cyber Made Simple.