Data Insecurity: Shredding is Not Enough
With 1.5 million workers now working from home, data security risks have risen exponentially. Too often, hard drives and devices are left to pile up in the back of a non-secure, almost forgotten closet after remote worker equipment is returned for a replacement or upgrade. Also, security teams, commonly operating with skeleton crews, are wondering how to properly dispose of all that decommissioned equipment filled with confidential, proprietary, and even top-secret data.
First and foremost: Know your industry data regulations and which apply to your organization. Numerous regulatory entities create laws and regulations addressing data breaches. Here is a link to the most common https://garnerproducts.com/compliance-regulations/overview.
All of these regulations have a common thread: to protect the privacy and sanctity of consumer information in all forms. While the method of data sanitization is not always clearly defined, best practices among the regulators indicate three steps:
- Completely erase the hard drive of all data
- Physically destroy the hard drive
- Maintain verified proof of data erasure and destruction
Complete Erasure. As I noted in my previous articles on the inadequacy of overwriting, a National Association for Information Destruction (NAID) study released in March 2017 found that 40 percent of used electronic devices sold on the secondhand market contained personally identifiable data.
Usernames, passwords, credit card data, tax details, and contact information were found on used hard drives, mobile phones, and tablets that were analyzed in the study. The recovery process used to identify data on more than 250 devices required no advanced forensic training.
To ensure this does not happen, the National Security Agency (NSA) requires complete data erasure with a process like degaussing as the only sure way to guarantee that all of your data has been erased. Degaussing doesn’t rely on the software or operator to decide what data is sensitive. Degaussing does not leave any data behind. Degaussing erases the entire hard drive working or not, in less than one second by encompassing it with a strong magnetic pulse. Degaussing erases all data to the highest security level and only takes seconds to complete. The degaussing process can be laboratory tested and verified. Degaussing is an approved method of erasing TOP-SECRET data by the NSA.
Physical destruction. Although physical destruction of a hard drive is not necessary after it has been degaussed, hard drive erasure can be followed by a method of physical destruction to visually indicate the hard drive has gone through a complete data destruction process, this can be accomplished by using a crusher, bender or shredder.
Despite what you may have heard, shredding alone is not complete destruction. Shredding only physically alters the size of the hard drive. It is important to recognize, data can and is recoverable from “shredded” disk fragments.
The NSA shred requirement is a 2mm²particle size, the size of the thickness of a pencil lead. To meet that requirement, you need a shredder/crusher/disintegrator that can achieve a 2mm²particle size.
But even a 2mm² disk fragment still contains retrievable data, as you can see in the graphic below. A 2mm²disk fragment is the paper equivalent of 2.52 pallets of paper, equaling 15 sets of an Encyclopedia Britannica containing data. Because of this, shredding alone is not complete data destruction.
Shredding isn’t easy or environmentally safe. Mechanically reducing a hard disk drive (HDD) to a 2mm²particle size requires a huge machine that is expensive, loud, takes a great deal of power, and produces significant amounts of dust into the surrounding air. Not a solution that lends itself to a data center or office.
By contrast, degaussers are small (about the size of a CPU), light-weight (ranging from 35-105 lbs.), and can be carried or rolled into an office, data center, or warehouse. A degausser plugs into a standard wall outlet and takes seconds to complete a cycle. Degaussing is also environmentally friendly; it does not physically alter the external appearance of the hard drive allowing the degaussed hard drive to be recycled.
Verified Proof of Erasure and Destruction. Documented proof of destruction is a necessity in our litigious society. How do you prove that your data destruction process meets the standards and regulations of your industry? Garner is the only degausser manufacturer that offers an automated erasure and destruction verification system called IRONCLAD. IRONCLAD takes JPEG images of the media before and after it is degaussed; verifies the destruction process was successful and generates a record of erasure and destruction for audit and archival purposes. The information is preserved in an exportable IRONCLAD Erasure and Destruction Certificate.
The bottom line: Shredding hard drives is not enough. Shredding is an analog solution to a digital problem. Shredding remains an industry-approved method for the destruction and disposal of paper, but in this digital world of hard drives and data storage, it is an insecure, inadequate, and outdated method of data destruction.
Today, your company needs to securely dispose of magnetic storage media. Modern HDDs are written at 4 Tbits/sq inch — an unimaginable density. A 2mm particle of such a drive contains 500,000 pages of data. Shredding alone will not protect your organization from data breaches. True data protection is a reality only when you degauss, destroy and verify.
Garner Products is a nationally recognized leading manufacturer of NSA/CSS EPL-Listed data destruction equipment. Garner offers a full line of degaussers and destroyers from office-quiet desktop units to equipment for top-secret data elimination. Learn more about Garner Products at GarnerProducts.com