When organization leaders think about cybersecurity, it's usually about which tools and practices they need to add to their stack—email protection, firewalls, network and endpoint security, employee awareness training, AI and machine-learning technology—you get the idea. What's not often considered is which items should be taken away.
Nearly as important to an organization's security posture is data destruction, or what to do with data when it's no longer necessary for the company...or when it falls into the wrong hands.
What exactly is data destruction?
The word "destruction" doesn't always carry positive connotations. A person might worry about data destruction if their device fails and they haven't made proper backups or don't store their data in the cloud. However, organizations must destroy data on a nearly daily basis, whether that's deleting emails to clean out an inbox or making room on a database by dumping old, no-longer-relevant files.
In days of yore, destroying data was a fairly simple task. Take old papers and run them through the shredder. Then dump at a recycling facility, wipe your hands, and smile at your empty file cabinets.
Modern data destruction is more complex. Data stored on tapes, disks, hard drives, USBs, and other physical hardware must be purged before old devices are thrown away, re-used, or sold. And data no longer in use that's stored on networks and in the cloud should be systematically destroyed in the interest of organizing relevant data and keeping it out of the hands of criminals.
It's a step companies must take whenever they stop using something that holds information. A thorough data destruction process involves making what was formerly on an electronic storage device unreadable. Businesses must do this, no matter if they intend to sell an old storage medium or throw it away.
What are the main types of data destruction?
To truly destroy data, merely deleting a file is insufficient. While the file may not be viewable in a particular folder, it is still likely stored in the device's hard drive or memory chip. Therefore, organizations must take an extra step to ensure the data can no longer be read by an operating system or application.
Companies have a few main choices when deciding how to destroy their data properly:
- Physically destroying the storage medium
Degaussing requires using a special tool called a degausser and choosing one designed for the particular storage device. The degausser removes or reduces the magnetic field associated with the storage disk, which renders the data inside unreadable and unrecoverable.
Overwriting means replacing the old data with new. This method only works when the storage medium is undamaged and writable—and of course when an organization plans to continue using the medium instead of throwing it away or reselling.
Physically destroying the storage hardware usually means striking it with a hammer or taking it into a field with a baseball bat, Office-Space style. This is a costly data destruction method, but one that gives exceptionally high confidence that someone could not access the information later.
There are also other types of destruction options within those broader categories. For example, data wiping is a form of overwriting and erasure is another example.
Which cybersecurity risks does data destruction tackle?
A breach is the cybersecurity threat most people probably think of when they ponder what could happen due to insufficient data destruction. Most organizations collect and store sensitive or personally identifying information on its employees and customers, for example. Yet, once those employees or customers move on, businesses may hold onto their data for a little while but eventually want to remove it from their systems so they are not liable for fallout from a breach.
Cybercriminals look to compromise organizations for this very reason; and they do not limit their efforts to data being actively used by an organization. Data at rest, in storage, and in transit are all at risk. And threat actors know that users and organizations often rid themselves of physical devices without completely wiping them of data. According to the BBC, 1 in 10 second-hand hard drives still contain users' old information.
Obtaining the data may also happen innocently. An individual could buy a USB drive from a third-party source and notice there's still information on it when they plug the device into a computer, for example. A person could also gain access to sensitive data by noticing that a company is throwing away some hard drives in an easily accessible dumpster, and take the disks out of the receptacle later.
Outside of the data breaches, organizations may be fined for mishandling the information in their care. Businesses can incur millions of dollars in penalties once regulators conclude they're not meeting minimum standards for data safekeeping.
An IT company called Probrand conducted a data destruction poll a couple of months after the General Data Protection Regulation (GDPR) came into effect. It showed that 71 percent of United Kingdom trade sector businesses did not have an official protocol for getting rid of old computer equipment. Then, 47 percent of respondents admitted they would not know which person in their organization to approach about data destruction.
Companies cannot view data destruction and cybersecurity separately. They go together, and if an organization doesn't take it seriously, its cybersecurity plan falls short, particularly when it comes to safeguarding information. Enterprises should consider a top-down approach when protecting and disposing of data—especially when the GDPR or other regulations apply to them.
What should organizations consider when choosing a destruction method?
Although the data destruction techniques mentioned above encompass the main options available to organizations, that doesn't mean companies do or should choose only one option and use it for all cases. Instead, they need to think about time, cost, and and the validation and certification associated with each method.
Time comes into play because some techniques take longer than others to ensure old information is completely gone. The number of devices or drives an organization wants or needs to destroy at once also matters. For example, if a company only needs to delete the data from one or two endpoints, that'll be a much shorter demand on time compared to dealing with hundreds of machines.
Cost is mainly a factor to keep in mind if an enterprise intends to use the hard drives again for different purposes, or it has limited financial resources. Perhaps their budgets do not allow for getting replacement computers, making physically destroying a hard drive out of the question.
Validation and certification are related. They address how companies many need to work with data destruction service providers that can validate their methods and provide certifications after doing the job. Having a certificate helps a business show its compliance.
For advice on which methods to follow in which scenarios, the National Institute for Standards in Technology (NIST) has published guidelines for data sanitation. Organizations are not legally required to follow the standards put forth by this US Department of Commerce–sponsored report, but they are helpful in outlining best practices for protecting data from infiltration, abuse, misuse, theft, and resale.
Should destroying data be high priority?
IT executives have a growing number of challenges to overcome regarding cybersecurity. Some of them may wonder if data destruction (or lack thereof) is a genuinely confirmed risk or merely a theoretical one. Substantial evidence shows that companies cannot afford to overlook data destruction as they iron out their cybersecurity plans.
Matt Malone is a dumpster diver who confirms that many hacks and identity thefts occur when people go through someone's trash. Malone often targets the dumpsters of retailers and said that off-hours activity made more money for him than his day job.
Also, a tech company called Stellar performed a residual data study in 2019 that analyzed the information left on 311 devices. It found that more than 71 percent of them contained personally identifiable information (PII). Additionally, 222 of the devices went to the secondary market without their original owners conducting the appropriate information-erasing procedures first.
An earlier study from the National Association for Information Destruction revealed that 40 percent of devices received secondhand had PII on them. Researchers looked at more than 250 items for the study.
Furthermore, research published in 2015 highlighted the need to work with reputable data destruction companies that stand behind their results. The study examined 122 used devices bought from e-commerce sites. In addition to 48 percent of the hard drives containing residual data, 35 percent of the mobile phones had information such as call and text logs, images, and videos.
Even worse, previous deletion attempts occurred on most of the devices— 75 percent of the hard drives and 57 percent of the mobile phones. A closer look told the researchers that people tried to delete the information with widely available but unreliable data destruction methods. A lesson learned here is that it's crucial to weigh the pros and cons of each option before tasking a reliable company with discarding the information.
Data destruction should not be overlooked
Cybersecurity is a hot topic for organizations, which are increasingly being targeted by cybercriminals for their troves of valuable PII. Data that is no longer useful to an organization is still a goldmine for threat actors. As the saying goes: One person's trash is another person's treasure.
And while organizations might spend a fortune on protecting their active data from getting into the wrong hands, what's often overlooked is how inactive or old data is improperly secured or destroyed. Removing all traces of old data is important for saving consumers from continued exploitation, plus it sends a message to criminals that your organization has air-tight defense—even around its dumpsters.