Technology upgrade stimulates the need for destruction of old devices no longer in use. This blog defines what to do and what not to do when initiating disposal of outdated storage media in order to prevent data leakage and data breach.
Are you following the right approach to data disposal?
Often, the information that is no longer valuable to the organization resides on the discarded devices. This information may become accessible to the hackers keeping a close watch. With most enterprises not practicing a failsafe data destruction policy, possibility of data leakage or theft becomes high.
Data disposal is the answer to all the possible data security woes. Right approach to data destruction can bridge all possible loopholes that may invite perilous troubles resulting from a data breach event. So, judiciously observe these Dos and Don’ts of data disposal and pay maximum attention to develop a robust data destruction policy when decommissioning IT assets.
Here are some noteworthy recommendations for organizations dealing with disposal of bulk volumes of drives:
A Sound Destruction Policy in Place
When the hard drives or storage media reach the end of their operational lifespan, organizations should avoid haphazard release of IT assets to the secondhand market. Rather, form a zero-tolerance policy against the selling of used media without properly sanitizing them. Make sure your data destruction policy complies with all industry, state, and federal regulations. It must specifically define the length or period to preserve old data or devices, and preferred methods of secure data disposal. Consider conducting frequent reviews of your policies to incorporate revised guidelines and industry norms.
Define Data Eraser Protocol
Develop a protocol of securely erasing data before putting device to rest in a manner that employees do not compromise the underlying layer of security. Keep your staff educated about the potential harm careless disposal of devices can cause, if data is recovered or inadvertently fall into wrong hands. Moreover, get access to certified data eraser software to help your employees adopt automated data eraser practices instead of simply deleting or formatting the storage device. Such smart moves ensure unwanted data is permanently irretrievable. You may read our latest blog on ‘Automate and Schedule Data Erasure Tasks To Maintain Privacy’ & feel free to enlighten your staff through our informative piece.
Promote Employee Awareness
Each individual working from office or distributed location must be well-versed with the data destruction policy and meticulously observe it. Organizations must frequently conduct data destruction training and educational webinars for employees working from the office as a gentle reminder to sustain cyber hygiene. Random disposal of documents, drives (HDDs, SSDs etc.), or CDs in the trash bin should be strictly prohibited. The IT asset managers must take the responsibility to ensure data stored in the device that is no longer in use is permanently wiped and the certificate of erasure is religiously maintained as a proof of erasure to meet compliance.
Reassess Sanitization Process
Conventional media sanitization procedures are no longer applicable to the modern/advanced flash memory-based devices. The new storage devices and technologies are vividly distinct from the legacy magnetic media and require redefining of data destruction process to ensure efficacy of data sanitization. Destruction without media sanitization should be considered only in rare conditions when the device is inaccessible for overwriting process and needs to be physically destructed. It is the responsibility of the IT asset manager and data controller to find the most suitable data destruction method to recycle modern drives and devices.
Backup Destruction is Compulsory
Many organizations keep multiple backup files, folders, or data banks to thwart the possibility of accidentally losing confidential information. If primary data sources are disposed, their backups should be wiped off too. Overlooking the process or inadequately dumping the backup tapes is equally unethical and may cause serious repercussions to the enterprise.
Maintain Chain of Custody Records
A worthwhile chain of custody covers an auditable digital or document trail. It must also include an inclusive history of all the people who held the devices, stored, or transported them. Leave no room for error otherwise even an improper chain of custody can cause disposal concerns with fines, legal ramifications, auditors’ censure and, brand disrepute.
Demand Certificate of Destruction
A Certificate of Destruction is an audit document that affirm successful destruction of confidential data stored on hard drives, tapes, SSDs, or other storage media. Certificate of erasure ensures that you have actually destroyed the data in lines with the mandates of global data privacy and data protection. Hence, organization must use tools or hire service providers that offer Certificate of Destruction as a proof to have permanently destroyed data. It is a resilient approach that ensure that data is no longer exposed to bad actors and prevents any lapse or data breach risk.
Now let us also review some common mistakes to avoid when disposing storage devices to ensure your organization meets compliance and remains out of legal suits for data breach. Here are some must avoid don’ts of data disposal:
Never Violate Compliance
If organizations neglect or do not follow data privacy or environmental protection laws, they not just turn their customers or the planet susceptible to damage, but also risk their venture. Negligence will be rewarded with high penalties on account of data breach or identity theft. You may also suffer multiple lawsuits, revenue, and client loss, besides market reputation. Indeed, non-compliance is a nightmare that can ruin years of hard work at once. So, get acquainted with the data destruction guidelines as defined by regulatory bodies like NIST (National Information Standards and Technology, USA) in order to meet regulatory compliance by global laws like GDPR, CCPA, and the likes.
Avoid Casual Employee Training
For new staff members, it is important to be wary of the data destruction methods and Information security policies. They should be well trained by data controllers and quality audit teams about the repercussions the organization may face due to lapses and improper disposal of data.
Never Stockpile Devices
Stockpiling old devices and drives makes your company vulnerable to data leakage. The price of data destruction is far less in comparison to the potential risks surrounding the devices, not in use and becoming a source of the data breach. Ethically, enterprises are not allowed by law to preserve old devices beyond a point. Storing them further is a sheer violation of the law. The Data Protection Act stipulates that consumers’ personal information should not be preserved for longer than the purpose of collection.
Here are some other common dos and don’ts unfurled to give you a clear picture of data disposal:
|Separate storage media to perform data destruction feasible to their nature.||Don’t overlook IT asset tags or corporate identification sign from the devices when you handover to the disposal service provider.|
|Streamline data disposal by formulating an asset decommissioning checklist to avoid losing valuable data.||Don’t choose a random method of data destruction and act mindful.|
|Choose a secure data disposal practice that ensures zero e-waste.||Don’t decommission drives through shredding or any other physical destruction that can hamper the environment.|
|Use a reliable software to permanently erase data beyond recovery from the hard drives or devices.||Don’t wait too long to dispose of media as it can cause data leakage or breach.|
|Make sure the destruction service providers follow a reliable technique in compliance with global regulatory laws.||Never perform data disposal on your own as you are not authorized to do so. However, you may use data erasure tools for media sanitization.|
|Always use secure tools or hire service providers that offer a Certificate of Destruction for audit trail.||Never rely on self-attested Certificate of Destruction or a random paper verifying the process of data destruction.|
Instead of jumping on to any one option, be mindful and understand the pros and cons of each procedure. Uncover prominent data destruction techniques intricately defined in our Knowledge Series. Here is a glimpse of it:
The logical data destruction technique aims at the ‘memory drive’ by following specific methods of data disposal on the media locations. The broader approaches to the logical destruction includes overwriting, block erase, and cryptographic erase. The mechanism work only if the storage media is not dented or is writable. Without a highly efficient data eraser software like BitRaser, the attempt to overwriting remains ineffective.
Physical destruction is considered appropriate only if you plan not to recycle or reuse the hard drive. Enterprises can use shredding, drilling, or melting procedures to dispose media through physical destruction. Though, the process has some non-negligible repercussions like it is prone to manipulation, perilous to the environment, and lack auditable destruction. Read Chapter 3 of our Knowledge Series to get in-depth detail of both the destruction techniques.
The Bottom Line
If you are planning to discard, recycle, reuse, or donate old storage devices to adapt to the upgraded models, carry out the above-mentioned explicit measures. They ensure that the data stored in the old devices are permanently erased beyond recovery and is irretrievable even by any in-laboratory forensic techniques. Given the vast amount of data generated by organizations, effective data disposal practices and policies have become a vital necessity for businesses.
Finding a secure data disposal process is easy but avoiding the unwanted trouble is tricky. Save your organizations time, resources, legal as well as financial penalty by keeping the dos and don’ts mentioned in this post handy. Furthermore, acquire knowledge from Chapter 5 on Data Destruction Standards and Guidelines to weave best data destruction policy.