This blog was written by an independent guest blogger.
As Morgan Stanley Bank now knows, ignoring certified data destruction policies can be disastrous. The bank made news in 2020 when it was fined over $60 million for not using proper oversight when decommissioning two of its data centers. Regulators found that the organization had not addressed the risks associated with decommissioning hardware effectively.
An ever-increasing number of IoT and Business Connect devices allows for numerous entry points for hackers electronically, but companies should also take care that they decommission their hardware. Unfortunately, studies show that many companies lack the necessary precautions for data destruction.
What is data destruction?
Data destruction is a process that involves destroying information and records such as paper documents and digital information stored on hard drives, SSDs, optical disks, memory chips, and the like. The goal of digital data destruction is to eliminate any information that was previously held on the server or hardware so that it can’t ever be recovered by a third party or someone from within the organization.
The increased cybersecurity events of 2020 and 2021 have highlighted the need for proper data destruction protocols across industries. Additionally, emphasizing the circular economy, sustainability, and eco-friendly practices means that more refurbished devices will be recycled and resold to new owners. If data is not completely destroyed, then that information is at risk.
What happened at Morgan Stanley?
A lack of secure data destruction protocols can have profound implications.
In 2016, Morgan Stanley hired a vendor to wipe all data from the servers. But they didn’t monitor their vendor or keep adequate documentation. As a result, the vendor failed to completely erase all the data from the hardware before selling it to recyclers.
In 2019, a few of Morgan Stanley’s decommissioned servers went missing, and the disks were left with unencrypted customer data. This incident was attributed to a software flaw but still reflects a lack of oversight over one of the most critical business data practices.
These data flubs could have had a significant impact on the online privacy of their clients, but the bank maintains that none of their customers’ data was breached in either instance. Still, the data left on these devices could have easily been accessed by anyone in possession of the servers and other hardware.
A person with sensitive customer information such as account and social security numbers, birthdates, contact information, and other crucial data could wreak havoc on customers and the organization as a whole.
Benefits of secure data destruction
Improper data destruction protocols can leave customer and business data wide open to be stolen and used for malicious intentions.
Businesses of all sizes need to ensure that their financial statements and documents such as profit and loss statement templates, invoices, third-party data, and everything in between are all safely secured using the correct data destruction activities.
Here are just a few of the benefits of secure and certified data destruction policies and practices:
- Complete removal of data — certified data destruction helps remove data from hardware without leaving a single trace of its existence. A simple delete is not enough to completely remove data from a device. Data destruction protects the data and the device owner.
- DARP — Even encryption and firewall security are not enough to ensure that your data at rest is protected. Data at Rest Protection (DARP) through data destruction is the most secure way to ensure data that is no longer in use and isn’t serving any real purpose.
- Prevent cybersecurity incidents — Devices, both business and personal, no longer needed have to be permanently wiped with a certified data destruction tool that meets data erasure standards. Without it, they could be vulnerable to a breach resulting in financial and reputational losses, including fines and penalties.
- Meet compliance and regulation guidelines — Data protection laws worldwide such as GDPR, SOX, and HIPAA state clear rules for consumers’ right to erasure and to be forgotten. Data destruction policies ensure that these guidelines are met.
- Sustainable hardware refurbishing — Reducing e-waste has become a top priority as the circular economy comes into focus. Old devices like smartphones and laptops are not the only ones businesses can recycle. A new emphasis on recycling servers and other hardware means an increased need for complete data destruction.
Methods for data destruction
Organizations use many methods to destroy data at rest permanently. Media wiping tools are essential for companies that use refurbished IT assets or recycle their hardware. These electronic devices must all be adequately wiped before safely passing on to their next owner:
- Digital cameras
- Media players
- Hard drives
- Gaming consoles
- External hardware
- Peripheral devices
Secure and dispose of electronic devices, servers, and hardware by using these data destruction methods:
Delete or reformat
The two most common ways to attempt to rid a device of its data are by deleting or reformatting files.
Deleting a file from a device will remove it, but it doesn’t destroy the data. The information within the deleted file will remain on the device’s hard drive or memory trip.
Reformatting the disc also produces similar results. Reformatting will not wipe the data from the device, and it just replaces an existing file system with a brand new one.
Using these methods to destroy data is ineffective and does not represent proper data destruction, but it is worth mentioning since it is often used as the first response.
Data wiping involves overwriting data on a device so that no one can read it. It is usually accomplished by connecting the affected media to a wiping device, but it can also be done internally.
However, data wiping is time-consuming, especially for a business with lots of information across numerous devices. It’s a more practical approach for individuals.
Overwriting data and wiping data are very similar approaches to data destruction. Overwriting data refers to writing a pattern of ones and zeroes over the current data to hide it and prevent it from being read.
However, if the data in question is a high-security risk, it may be worth taking a few extra passes at overwriting it. It ensures that the data is completely destroyed and not a single bit of shadow or remnant of pre-existing information can be detected.
Overwriting data is by far the most common data destruction method used by organizations, but it is also very time-consuming. Additionally, you can only overwrite data on an undamaged device that still allows data to be written into it.
Another term for overwriting, complete erasure destroys all data stored on a hard drive and delivers a certificate of destruction. This certificate proves that data has been successfully erased from an electronic device.
Erasure is a suitable method for businesses that purchase equipment such as desktops, enterprise data centers, and laptops off-lease.
Degaussing uses a high-powered magnet to destroy data. It is a quick and effective method to destroy sensitive data, but it has some disadvantages.
Once a device has been degaussed, its hard drive is no longer operable. Besides that, there is no way to know whether all the data has been destroyed without an electron microscope.
It turns out that taking a hammer to a hard drive is a very effective data destruction method for businesses of all sizes. However, not all companies can afford to spend money on replacing hard drives that have been pummeled in the name of data privacy, so this is not always an ideal solution.
Another method similar to physical destruction, shredding is the most secure and cost-effective data destruction strategy. Shredding involves reducing electronic devices to tiny pieces, no larger than a couple of millimeters.
This method is ideal for high-security environments and is most commonly used when an organization has a stockpile of old media to destroy.
Many businesses will outsource their data destruction needs to a dedicated data destruction company. But beware, just like in Morgan Stanley’s case, you could still be held responsible for any data that remains.
You may think that your organization isn’t susceptible to a major data breach from decommissioned data centers and other equipment. However, small businesses are the number one target for cybersecurity breaches.
That’s why businesses of all sizes must take the correct steps to destroy data and ensure their customers’ information stays secure.