The hard drives on your company’s servers probably house a lot of sensitive information, including details such as employee data, proprietary trade secrets, detailed customer information, and financial records. Even after you delete files or re-format those drives, that data may still be recoverable. If it falls into the wrong hands, that can lead to financial losses, reputational damage, and compliance failures.
The same can be said of hard drives on individual workstations, laptops, mobile devices, and even printer/copiers. What happens when you retire that equipment? You need to destroy the data so that it doesn’t fall into the wrong hands. By following best practices in secure data disposition, you can protect yourself and your organization.
Understanding the Need for Hard Drive Disposition
Secure hard drive disposition ensures that your sensitive data can never be retrieved, even with the most sophisticated tools. For many organizations, physical destruction of hard drives is the preferred (and sometimes mandated) method for safeguarding the integrity of personal and organizational data from exploitation by cyber criminals. By thoroughly destroying the physical medium, organizations and individuals can mitigate the data security risks that can lead to fines and penalties, bad publicity, and lost revenue.
Simply deleting files or reformatting the hard drive does not necessarily remove any data. That information remains intact until the space it consumes is required by some other file or application. Using widely available tools, cyber criminals can retrieve that data with relative ease.
Improper physical destruction can also put your data at risk. If fragments of the media remain intact, sophisticated criminals may still be able to retrieve it. That’s why it’s so important to work with a data destruction service provider who understands the hard drive destruction process and follows best practices to the letter.
Companies may be subject to various data security requirements, depending upon the industry in which they operate and the contractual agreements they have with their customers. Regulators are paying closer attention than ever to data privacy and security, and many private certifications impose similar standards. If you’re disposing of IT devices without first destroying the data they contain, you’re putting your company at significant risk.
Methods of Hard Drive Disposition
When a hard drive has been damaged sufficiently, it’s impossible to recover data from it. Common methods for physical hard drive destruction include shredding, crushing, and drilling.
- Shredding involves cutting the hard drive into small pieces using industrial-grade shredders designed specifically for electronic media. These purpose-built shredders can tear through metal casings, platters, and other components, rendering the data completely unrecoverable. Shredding is often used by organizations that handle highly sensitive information and require the utmost assurance that their data cannot be reconstructed.
- Crushing deforms the hard drive, making it unusable. This typically involves a hydraulic press or a hammer mill that exerts extreme force on the hard drive, bending its platters and damaging the drive’s internal components. While the physical drive might remain somewhat intact, the mechanical damage ensures that the data stored on the platters cannot be accessed or retrieved. Crushing is a more accessible option for many organizations, as it requires less specialized equipment than shredding.
- Drilling holes through the hard drive’s platters disrupts the magnetic surface where data is stored, making it difficult to read the data from the platters. Drilling is generally considered less secure than shredding or crushing because it leaves portions of the platter intact, potentially allowing for partial data recovery by a highly determined cyberthief.
There are a few other data destruction methods that don’t necessarily involve physical destruction of the device:
- Degaussing exposes hard drives to a powerful magnetic field, effectively erasing the data they contain and rendering them permanently unusable. This is quick and effective, but it requires specialized equipment and expert oversight. Degaussing is not effective on solid-state drives (SSDs) or flash storage, however, because these do not store data magnetically.
- Secure erasure uses specialized software to permanently destroy the data contained on unwanted hard drives. This is cost-effective and extremely reliable. It’s also much better for the environment, because it preserves the hard drives so they can be reused.
Each of these methods has certain advantages and disadvantages, depending on the level of security required and the resources available. Whichever option you choose, the objective remains the same: to ensure that sensitive data on hard drives is completely destroyed and beyond the reach of unauthorized individuals, thereby ensuring data security.
Best Practices for Secure Hard Drive Disposition
Choose a hard drive destruction method based on the sensitivity of the data your devices contain, taking into account any applicable regulatory requirements governing data security. For highly sensitive data such as classified government information, personal health records, or financial data, shredding and degaussing are often preferred or even mandated. For all other organizations, secure erasure offers a more cost-effective and less resource-intensive approach. It’s also better for the environment. In any case, be sure to check any legal and compliance requirements that may apply to your organization.
Whichever method you choose, it’s critical to maintain and document a secure chain of custody throughout the process. Work with an IT asset disposition (ITAD) services company that transports your unwanted equipment in secure, sealed vehicles with GPS tracking, driven by employees who have undergone thorough background checks. Look for additional features like video surveillance and auditable record-keeping throughout the entire process.
The best hard drive destruction services companies will tailor their offerings to meet your unique requirements. Many organizations, for example, require on-site hard drive shredding, narrow time windows, and custom reporting. Look for a company with certifications from leading organizations, as well as strong reviews from long-time customers.
Implementing Hard Drive Disposition Policy
At NCS Global, we recommend that companies create a hard drive destruction policy that lists a variety of storage media in use at the organization, as well as the types of sensitive data they contain. List the approved methods of destruction, taking into account the various legal and regulatory requirements relevant to the organization’s industry. This may include things like HIPAA, GDPR, GLBA, or CCPA, for example.
The policy should also outline clear protocol for maintaining a secure chain of custody, ensuring that hard drives and other storage media are securely handled from the moment they are decommissioned until their eventual destruction. This includes documenting the end-to-end process, including an audit trail for compliance purposes.
Your policy should also include a plan for regular employee training that emphasizes the importance of data security and the proper procedures for hard drive destruction. This ensures that everyone at your company understands their role in the process.
Review and update your hard drive destruction policy regularly as new technologies, regulatory changes, and evolving security threats come to light.
Conclusion
Like so many other activities aimed at managing risk and compliance, secure data destruction seems easy to overlook. Eventually, though, the unexpected will occur. Cyber threats are increasing constantly, and criminals are attacking small and midsize organizations more than ever. That time to get your house in order is now. Want to learn more? Download your free copy of our white paper, On-site vs. Off-site Hard Drive Shredding or contact us to discuss your organization’s needs.
