What happens to information when it’s no longer necessary? When electronics and storage systems reach their end-of-life stage, businesses must get rid of them. While they could simply delete a device’s contents and toss it, that opens them up to cyber threats. Is data destruction more secure?
Data destruction is a process that makes content stored in files, physical drives, or virtual systems unreadable and unrecoverable. The goal is to make the storage system irreparable or the information indecipherable, so it’s irretrievable. This way, bad actors can’t view, tamper with, steal or sell it.
Companies often utilize this destructive method when they no longer need a storage device or its contents. According to the Cybersecurity and Infrastructure Security Agency, entities that consider themselves at an elevated risk of being targeted by threat actors
While deletion may seem the better option since it’s faster and more cost-effective,
There are three main data destruction techniques.
Physical destruction involves incinerating, pulverizing, crushing, shredding, disintegrating, or melting to ensure no one can read or recover their data. Brands can physically destroy hard drives or paper documents this way. It is
Overwriting — also known as data erasure — uses software to replace content with zeroes and ones, turning it into an illegible mess. Unlike encryption, it is randomized and can’t be undone with a stolen key. Since it works on the byte level, it is highly effective.
Degaussing eliminates a device’s magnetic field, wiping the data it contains without physically damaging it. It works on storage systems like hard disk drives (HDDs) that use magnetism to store information. This process makes the information completely unrecoverable, leaving no residuals. It can destroy a hard drive’s information
Data becomes valueless when time, customer relationship changes, or market fluctuations make it irrelevant. If a business continues storing sensitive or personally identifiable information (PII) when it doesn’t need to, it wastes storage space and elevates its breach risk. However, deletion alone leaves traces of the original details behind, which hackers can recover.
Simply tossing an electronic device or storage system after deleting the sensitive knowledge on it is dangerous, as there’s no way to ensure it ends up recycled or irreparable. Research suggests the United States exports up to
If the person purchasing the device knows how to restore data or has recovery software that does it for them, they can easily view, share or sell what they find. While little research on this subject exists, anecdotal evidence suggests bad actors linger around dump sites and secondhand markets because they know their chance of finding retrievable content is high.
PricewaterhouseCoopers — a multinational professional services enterprise — experimented to determine the extent and severity of e-waste as a data security threat. In March 2023, it bought a mobile phone and a tablet from the Australian Capital Territory for under $50. Using only basic recovery and analysis techniques, they
Data destruction’s role in cybersecurity relates to privacy and security. Since a threat actor’s main priority is often information theft — it’s what the dark web trades in — destroying data storage systems instead of throwing them out or leaving them to collect dust is crucial. This way, companies can prevent cyber threats.
Depending on what a device was used for, hackers may gain access to credit card numbers, login information, home addresses, customer analytics, or sensitive documents upon recovery. The fact that they could use these details to launch a cyberattack, breach a network, or steal someone’s identity makes data destruction an integral part of a modern cybersecurity strategy.
Moreover, many leading cybersecurity regulators and agencies consider data destruction fundamental for end-of-life devices. For instance, according to NIST SP 800-88 — guidelines from the National Institute of Standards and Technology — media destroyed with a shredder or disintegrator must be reduced
As digitalization makes generating and collecting information easier, the amount of data stored in storage systems will increase drastically, meaning the number of end-of-life devices will increase. The U.S. alone
Storage medium type is another factor decision-makers must consider when incorporating data destruction into their cybersecurity strategy since some methods only work on specific devices. For example, solid-state drives (SSDs) are immune to degaussing because they store information with integrated circuits instead of magnetically.
Moreover, many firms use outdated technologies to destroy modern storage devices. For instance,
The last major consideration involves third-party or on-premise destruction. Business leaders must decide whether they can handle the other process factors themselves. If not, they must outsource to a trusted vendor. Proper vetting is essential in these cases to ensure they’re not handing over sensitive information to an irreputable servicer.
Every company should incorporate a data destruction process into its current cybersecurity strategy to ensure its information doesn’t fall into the wrong hands. While throwing away or recycling electronic devices are faster, they aren’t nearly as secure.