When most of us consider cybersecurity we probably think it’s all about safeguarding data, not destroying it. But a key part of any organisation’s cybersecurity policy and practice is data destruction. Why? Because it prevents important documents such as financial records, intellectual property (IP) or personally identifiable information (PII), like customer or staff files, falling into the wrong hands. Put simply, data destruction is about deciding what to do with all the data you store when it’s no longer needed or is held on irreparable or obsolete technology you want to sell, dispose of or replace? In this blog post we’re going to take a closer look at data destruction and why it matters for your cybersecurity.
What is data destruction and why does it matter for your cybersecurity?
Think ‘data destruction’ and you probably shudder and envisage damaging or losing a device you haven’t backed up so the information it contains is lost. But data destruction in this context is the purposeful act your organisation undertakes when it no longer uses information or the device storing it. Data destruction matters for your cybersecurity because data that’s not been effectively destroyed is a data breach waiting to happen.
Data destruction is wide ranging
Chances are, your organisation already destroys data every day –deleting emails from an inbox or making room on a database by dumping old files, for example. But with so many ways to store information these days – from tape, disks, hard drives and USBs to other physical and mobile devices – modern data destruction can get complex.
Effective data destruction means you must purge the data from any physical hardware before devices are binned, recycled, re-used, sold or replaced. Similarly, obsolete data stored on networks and in the Cloud should also be systematically destroyed for organisational and security best practice.
The three main types of data erasure
Be warned, merely deleting a file does not truly destroy data, that data it is still likely to be stored on the device’s hard drive or memory. So to ensure your data can no longer be read by an operating system or application, you have three ways to destroy it:
Requiring a special tool called a degausser (choose one designed for your particular storage devices), these remove or destroy the magnetic field associated with the storage disk, which renders the information inside unreadable and unrecoverable.
This method essentially means replacing the old data with new but only works when the storage medium is undamaged, writable and you want to keep using it instead of disposing of it or selling it. Data wiping and erasure are two other kinds of overwriting.
This means taking your storage device somewhere with plenty of open space (not easy in London!) and hitting it with something hard and heavy, like a hammer. But this method’s time and, therefore, cost consuming.
How does data destruction reduce risk?
Cybercriminals will try to compromise the redundant information your organisation stores if you give them the chance – that means the information you don’t effectively destroy, especially if it’s held on obsolete devices. Essentially, data at rest, in storage and in transit is all at risk. Threat actors know this and will use your data destruction vulnerabilities against you.
A data breach through poor data destruction can happen innocently if, for example, a pre-used USB drive is sold or carelessly dumped in a bin somewhere in London. However, such data breaches can be expensive, leading to fines for mishandling information in your care under the General Data Protection Regulation (GDPR). Worryingly, research by IT company Probrand showed that 71% of UK trade sector businesses do not have an official protocol for getting rid of old computer equipment.
The bottom line is you cannot view data destruction and cybersecurity separately, they must be analysed, assessed and acted upon together.
What methods are best for your business
You don’t have to choose only one data destruction method from the three above and use it consistently. Instead, consider factors such as time, cost and the validation and certification associated with each option and what out works best for your business.
The time you have available and the number of devices you need purging matter because some destruction methods take longer than others. In addition, cost can be an important factor if you intend to use the technology again and physically destroying it is a no-no.
You should only trust data destruction service providers that can validate their methods and provide certifications that prove they’ve done the job correctly, which helps your business demonstrate its compliance credentials.
The National Institute for Standards in Technology (NIST) has published a cybersecurity framework (CSF) through the US Department of Commerce, that has been mirrored here in the UK. The CSF provides helpful guidance and best practices for protecting data from infiltration, abuse, misuse, theft and resale.
Why destroying data should be a high priority
The research shows that you cannot afford to overlook data destruction in your cybersecurity plans. Here are some alarming findings demonstrating it:
- According to research by the BBC in the UK, one in 10 used hard drives for sale still contained personally identifiable information (PII).
- In a 2019 study, tech company Stellar found that over 70% of some 300 plus used devices for sale contained PII.
- An earlier study of 250 pieces of pre-used technology on the market, undertaken by the National Association for Information Destruction, showed that over 40% of them contained PII.
- Research published in 2015 highlighted how working with reputable data destruction companies was crucial, as that study examined 122 used devices bought from e-commerce sites, only to find that 48% of the hard drives contained residual data as did 35% of the mobile phones tested. And that’s after some 75% of the hard drives and 57% of the mobile phones had supposedly had all their data deleted.
Remember, one person’s trash is another’s treasure
Put simply, even data that’s no longer useful to your organisation, especially when it’s stored on obsolete or damaged technology, is still a goldmine for threat actor cybercriminals.
You may well spend a fortune on protecting your active data from a breach, but you cannot afford to overlook your inactive data.
Destroying obsolete and old data is crucial: it saves your customers from exploitation and saves your business from reputational and financial harm. More than that, it sends a message to cybercriminals that your organisation has air-tight defences.
Don’t forget the paperwork
There’s a fair chance your organisation collects and maintains sensitive personal identifiable information (PII) and still stores some of it in hard copy files. And as with digital data, every paper document you don’t effectively, safely and securely destroy is a data breach in waiting. So here’s why you should shred those important but redundant business documents or get a professional team to do it for you:
Prevent identity theft
Identity thieves can and do dig through recycling bins and rubbish skips in London and elsewhere to find and use PII for fraudulent reasons, such as signing up for credit cards or applying for a passport under a stolen persona.
Protect your customers and employees
Your customers trust you with their PII and it’s your duty to keep it safe, whether that’s stored on paper or in bytes. Any breakdown in this duty of trust could wreak havoc with your reputation, customer base and bank account through data breach fines.
You have a duty to protect your employees by ensuring their personnel files – CV, applications forms and photo ID cards, for example – are securely stored and then destroyed at the end of their retention period.
Do your bit for the environment
Boost your green credentials. Simply find an environmentally-responsible shredding company who will destroy your old papers, bale the shredded waste and securely transport it to an accredited recycling partner to be made into useful paper products. No landfill involved.
Here in the UK, GDPR means your organisation is under increased scrutiny to handle personal data in the correct manner to prevent a data breach – so keep your hardcopy documents secure and shred those you no longer need.
To find out more about data destruction services
As a team of highly experienced and expert IT support, services and security specialists, we’re well positioned to guide and advise you on the subject of data destruction, so please just call us for a confidential, no obligation chat through your requirements. Here at totality services, we’re one of London’s most trusted go to remote IT support service providers, with two consecutive Feefo Gold Trusted Service Awards, Five Star ratings from both Trustpilot and Google and a 98% client retention rate, so you’ll be in good hands.