You could be putting your company at risk by disposing of old data and storage media improperly.
At some point, all data must be destroyed. If you’re replacing outdated computers, servers, or storage media, like tapes, then you need to purge all the business data that currently exists on those devices. Also, there’s some data you need to wipe after a certain period of time so your company remains compliant with federal privacy legislation. When you want to destroy data, you need to go beyond simply dragging a folder on your desktop to the trash can.
There are three sure-fire ways to make sure data can never be pulled off a decommissioned hard drive or backup tape, according to the National Institute of Standards and Technology (NIST). In a chapter on security considerations in The NIST Handbook, NIST says, “three techniques are commonly used for media sanitization: overwriting, degaussing, and destruction.” These techniques can be used just as easily by small businesses as large companies.
1. Overwrite your hard drives. Overwriting your drives is more than simply selecting a file and deleting it. You need to overwrite each area of the disk several times; NIST recommends overwriting the hard drive three times. Several programs are available to help you overwrite your hard drives, including two freeware utilities, Secure Erase and Eraser. Overwriting your hard drives lets you reuse them but is less secure than degaussing your storage media.
2. Degauss your hard drives and backup tapes. Degaussing means to demagnetize; so, degaussing as a data destruction method magnetically erases data from your magnetic storage media, like hard drives and backup tapes. This method generally makes the media unusable after it destroys the data, which is fine when the media has reached the end of its useful life. If you choose this method of data destruction, you can hire a service for either on-site or off-site degaussing. Look for a provider that complies with standards set by both NIST and the National Industrial Security Program (NISP) as well as any federal legislation that applies to your company, such as the Sarbanes-Oxley Act or the Health Insurance Portability and Accountability Act (HIPAA).
3. Destroy your hard drive and backup tapes. The most secure way to destroy data—and the storage medium it’s on—is by shredding it, just like your paper documents. The large, industrial shredding machines grind up the storage media into unrecognizable bits of scrap metal. You can hire a shredding service to come to your office and shred your hard drives and tapes on site, under your supervision, so you can be assured that no one accessed any of the data before it was shredded. If possible, find a service that recycles the scrap metal. As with a degaussing service, a shredding service should be compliant with all federal security standards.
A few data destruction don’ts
It must be said: Don’t rely on the delete function to erase your data. Deleted data can still be retrieved from hard drives and tapes, which can be a huge security risk if you just toss that media into the nearest waste bin. In addition, you can’t trust the format function to fully erase your data. Just as there is software that can restore deleted files, there is software that can retrieve old data on re-formatted disks. Even taking a hammer to an old hard drive might not completely destroy it—unless you smash it into an unrecognizable mash of metal and plastic.
How are you destroying your company’s data?