The Role of Data Destruction in Cybersecurity

What happens to information when it’s no longer necessary? When electronics and storage systems reach their end-of-life stage, businesses must get rid of them. While they could simply delete a device’s contents and toss it, that opens them up to cyber threats. Is data destruction more secure?

What Is Data Destruction?

Data destruction is a process that makes content stored in files, physical drives, or virtual systems unreadable and unrecoverable. The goal is to make the storage system irreparable or the information indecipherable, so it’s irretrievable. This way, bad actors can’t view, tamper with, steal or sell it.

Companies often utilize this destructive method when they no longer need a storage device or its contents. According to the Cybersecurity and Infrastructure Security Agency, entities that consider themselves at an elevated risk of being targeted by threat actors should not sell or recycle their electronic devices.

While deletion may seem the better option since it’s faster and more cost-effective, it is under no circumstances enough because it isn’t secure. While deleting information removes it from the file system, it still exists on the storage device. In other words, bad actors with intermediate skills can quickly recover it. Destruction is the only way to ensure it becomes unrecoverable.

Common Data Destruction Techniques

There are three main data destruction techniques.

Physical

Physical destruction involves incinerating, pulverizing, crushing, shredding, disintegrating, or melting to ensure no one can read or recover their data. Brands can physically destroy hard drives or paper documents this way. It is one of the most common destruction methods because it is highly effective and works regardless of the storage medium.

Overwriting

Overwriting — also known as data erasure — uses software to replace content with zeroes and ones, turning it into an illegible mess. Unlike encryption, it is randomized and can’t be undone with a stolen key. Since it works on the byte level, it is highly effective.

Degaussing

Degaussing eliminates a device’s magnetic field, wiping the data it contains without physically damaging it. It works on storage systems like hard disk drives (HDDs) that use magnetism to store information. This process makes the information completely unrecoverable, leaving no residuals. It can destroy a hard drive’s information within a few minutes at most.

Why Deletion Isn’t Enough

Data becomes valueless when time, customer relationship changes, or market fluctuations make it irrelevant. If a business continues storing sensitive or personally identifiable information (PII) when it doesn’t need to, it wastes storage space and elevates its breach risk. However, deletion alone leaves traces of the original details behind, which hackers can recover.

Simply tossing an electronic device or storage system after deleting the sensitive knowledge on it is dangerous, as there’s no way to ensure it ends up recycled or irreparable. Research suggests the United States exports up to 40% of its electronic waste for recycling or disassembly, meaning it often ends up in landfills where a market for secondhand electronics exists. There, it gets retrieved and resold.

If the person purchasing the device knows how to restore data or has recovery software that does it for them, they can easily view, share or sell what they find. While little research on this subject exists, anecdotal evidence suggests bad actors linger around dump sites and secondhand markets because they know their chance of finding retrievable content is high.

PricewaterhouseCoopers — a multinational professional services enterprise — experimented to determine the extent and severity of e-waste as a data security threat. In March 2023, it bought a mobile phone and a tablet from the Australian Capital Territory for under $50. Using only basic recovery and analysis techniques, they retrieved 65 pieces of PII on the first device and could access up to 20 million sensitive records on the second.

Data Destruction’s Role in Cybersecurity

Data destruction’s role in cybersecurity relates to privacy and security. Since a threat actor’s main priority is often information theft — it’s what the dark web trades in — destroying data storage systems instead of throwing them out or leaving them to collect dust is crucial. This way, companies can prevent cyber threats.

Depending on what a device was used for, hackers may gain access to credit card numbers, login information, home addresses, customer analytics, or sensitive documents upon recovery. The fact that they could use these details to launch a cyberattack, breach a network, or steal someone’s identity makes data destruction an integral part of a modern cybersecurity strategy.

Moreover, many leading cybersecurity regulators and agencies consider data destruction fundamental for end-of-life devices. For instance, according to NIST SP 800-88 — guidelines from the National Institute of Standards and Technology — media destroyed with a shredder or disintegrator must be reduced to 1 millimeter x 5 millimeter particles.

How to Incorporate Data Destruction

As digitalization makes generating and collecting information easier, the amount of data stored in storage systems will increase drastically, meaning the number of end-of-life devices will increase. The U.S. alone will generate an estimated 50 million units of these yearly by 2025, highlighting a need for destruction method feasibility regardless of firm size.

Storage medium type is another factor decision-makers must consider when incorporating data destruction into their cybersecurity strategy since some methods only work on specific devices. For example, solid-state drives (SSDs) are immune to degaussing because they store information with integrated circuits instead of magnetically.

Moreover, many firms use outdated technologies to destroy modern storage devices. For instance, many use older shredders designed exclusively for HDDs. These machines can’t effectively destroy SSDs because they are not built for high-density flash storage. In other words, their shred size is far too large, so bad actors can recover data from them.

The last major consideration involves third-party or on-premise destruction. Business leaders must decide whether they can handle the other process factors themselves. If not, they must outsource to a trusted vendor. Proper vetting is essential in these cases to ensure they’re not handing over sensitive information to an irreputable servicer.

Destruction Is the Secure Option

Every company should incorporate a data destruction process into its current cybersecurity strategy to ensure its information doesn’t fall into the wrong hands. While throwing away or recycling electronic devices are faster, they aren’t nearly as secure.