When most of us think about what cybersecurity is, we probably assume it’s all about the safeguarding of data, not the removal of it. But a key part of any organisation’s cybersecurity policy and practice is in fact data destruction.
Why is this? Put simply, data destruction prevents important documents falling into the wrong hands. This kind of data could include financial records, intellectual property (IP) or personally identifiable information (PII), like customer or staff files, which you certainly don’t want to be accessed by an unknown source. The process of data destruction is about deciding what to do with your stored data when it’s no longer needed. It also provides a secure solution for irreparable or obsolete technology you want to sell, dispose of, or replace.
So, in this blog post we’re going to take a closer look at data destruction and why it matters for your cybersecurity.
What is data destruction and why does it matter for your cybersecurity?
Think ‘data destruction’ and you might imagine losing precious data from a damaged or stolen device which wasn’t backed up. However, in this context data destruction is a useful tool to strengthen your organisation’s cybersecurity. It is a purposeful act your business undertakes when it no longer uses information or the device storing it.
Data destruction matters for your cybersecurity because data that’s not been effectively destroyed is a data breach waiting to happen. Often, the files you assume are deleted, removed, or gone from your business devices are still accessible. And unfortunately, any possibility of unauthorised access is a threat to your business.
Data destruction is wide ranging
Chances are your organisation already destroys data every day. This could be as simple as deleting emails from an inbox or making room on a database by dumping old files. But with so many ways to store information these days, the process of data destruction can get very complex. From tape drives, disks, hard drives and USBs to other physical and mobile devices, the types of data storage spaces have never been so vast.
Effective data destruction means you must purge the data from any physical hardware before the devices themselves are binned, recycled, re-used, sold or replaced. Similarly, obsolete data stored on networks and in the Cloud should be destroyed for organisational and security best practice.
The three main types of data erasure
Be warned, merely deleting a file does not truly destroy data. It is still likely for data to be stored on your device’s hard drive or memory. Therefore, you must ensure your data can no longer be read by an operating system or application. There are three ways to securely destroy your data:
Degaussing
This requires a special tool called a degausser, which is chosen and designed specifically for your storage device. It works by removing or destroying the magnetic field associated with the storage disk, which renders the information inside unreadable and unrecoverable.
Overwriting
This method essentially means replacing the old data with new. But overwriting can only work when the storage medium is undamaged and writable. This is an appropriate option if you want to keep using your device instead of disposing of it or selling it. Data wiping and erasure are two more specific types of overwriting.
Physical destruction
This is exactly what it sounds like! Take your storage device somewhere with plenty of open space (not always easy in London!) and hit it with something hard and heavy, like a hammer. But this method’s time and, therefore, cost consuming.
How does data destruction reduce risk?
Cybercriminals will try to compromise the redundant information your organisation stores if you give them the chance. This means the information you don’t effectively destroy can be accessed and exploited, especially if it’s held on obsolete devices. Essentially, data at rest, in storage, and in transit are all at risk. Threat actors are aware of this and will use your data destruction vulnerabilities against you.
A data breach can happen innocently or unknown to you through poor data destruction practices. For example, if a pre-used USB drive is sold or carelessly dumped in a bin somewhere in London, the data can be found. Such data breaches can be costly both to your business’ security and of course, financially. Under the General Data Protection Regulation (GDPR) you can be fined for mishandling information in your care. As of 2018, it was reported that almost a third of EU small to medium sized businesses were not effectively destroying their data.
The bottom line is you cannot view data destruction and cybersecurity separately, they must be analysed, assessed, and acted upon together.
What methods are best for your business
You don’t have to choose only one data destruction method from the three we have listed. Instead, consider factors such as time, cost and the guarantee of safety associated with each option. Most significantly, your chosen method of data destruction should concern your business’ data storage types and how the device is dealt with after.
The time you have available, and the number of devices matter because some destruction methods take longer than others. In addition, cost can be an important factor if you intend to use the technology again. Undoubtedly, in this case physically destroying it is a bad idea.
If you are thinking of consulting a data destruction provider, ensure they can validate their methods and provide certifications. They must be able to prove they’ve done the job correctly, which helps your business demonstrate its compliance credentials.
If you need more guidance, the National Institute for Standards in Technology (NIST) published a cybersecurity framework (CSF) through the US Department of Commerce. This has been mirrored in the UK with the Cyber Assessment Framework (CAF) created on behalf of the National Cyber Security Center (NCSC) for our organisations. Both the CSF and the CAF provide helpful guidance and best practices for protecting data from infiltration, abuse, misuse, theft and resale.
Why destroying data should be a high priority
Research shows that you cannot afford to overlook data destruction in your cybersecurity plans. Here are some key findings which demonstrate why effective data destruction should be a high priority:
- In a 2018 study about paper-based data, 75.4% of SMEs (based in UK & Ireland) failed to shred all their sensitive documents
- The same research found that over two thirds of these SMEs were not confident about the meaning of ‘personal data’
- In 2020 it was discovered that 60% of preowned computers on the market still contained sensitive data from businesses
- In a 2019 study, tech company Stellar foundthat over 70% of some 300 plus used devices for sale contained PII.
Remember, one person’s trash is another’s treasure
Even data that’s no longer useful to your organisation can still be a goldmine for cybercriminals. Consider data left over on obsolete or damaged technology, as this is equally accessible in the eyes of those who want it.
Understandably, you may spend a lot of your budget on protecting your active data from a breach. However, you cannot afford to overlook your inactive data as this will always be a site of vulnerability.
Destroying obsolete and old data is crucial. It will save your customers from exploitation and prevent your business from experiencing reputational and financial damage. More importantly, relieving any trace of vulnerability sends a message to cybercriminals that your organisation has air-tight defences.
Don’t forget the paperwork
It is most likely that your organisation collects and maintains sensitive personal identifiable information (PII) and stores some of it in hard copy files. And as with digital data, every paper document you don’t effectively destroy carries a risk of a data breach. So, we’ve set out some points to show why you should shred those business documents or get a professional team to do it for you:
Prevent identity theft
Identity thieves dig through recycling bins and rubbish skips in London to find PII and use it for fraud. They may use these details to sign up for credit cards or apply for a passport under a stolen persona.
Protect your customers and employees
Your customers trust you with their PII and it’s your duty to keep it safe. This is key to following compliance laws, whether that’s stored on paper or in bytes. Any breakdown in this duty of trust could wreak havoc with your business’ reputation or customer base. It could even lead to enormous data breach fines.
You have a duty to protect your employees by ensuring their personnel files are stored securely. This may include CVs, applications forms and photo ID cards. They must then be destroyed at the end of their retention period.
Do your bit for the environment
Help boost your green credentials and reduce your carbon footprint. First, find an environmentally responsible shredding company who will destroy your old papers. Then bale the shredded waste and securely transport it to an accredited recycling partner to be made into paper products. No landfill involved.
GDPR
In the UK, GDPR means your organisation is under increased scrutiny to handle personal data in the correct manner. Non-compliance can easily allow a data breach, let alone cause even more serious issues for your business. So, keep your hardcopy documents secure and shred those you no longer need.
To find out more about data destruction services
As a team of expert IT support, services, and security specialists, we’re well positioned to advise you about data destruction, so if you’d like to learn more or request a quote, simply get in touch. Here at totality services, we’re one of London’s most trusted remote IT support service providers, with two consecutive Feefo Gold Trusted Service Awards, Five Star ratings from both Trustpilot and Google and a 98% client retention rate, you’ll be in good hands.