You arrive at work and get an immediate call to see the CEO. Upon entering the office, you notice that the CIO and other executives are in the room, as well as several people in suits you don't recognize. Everyone is looking stressed, brows furrowed and heads bent.
Those new people in suits are lawyers planning the company's defense to the major data breach that was just detected. The malicious activity occurred last month and the hacker supposedly used your information.
After frantic moments of head scratching, you remember: You sold your smartphone last month. While it was a personal device, you used it to check office email and it had stored access to the company network password.
While data madness often happens when vital data goes missing, it can also occur when data isn't properly disposed of. Too often, organizations fail to stress the importance of information security at every phase of the hardware's life cycle. Before a machine can be decommissioned, data must first be thoroughly purged and, in some cases, destroyed.
Sanitizing data vs. deleting data
In some companies, the temptation is to delete data by moving it to the recycling bin and pressing "empty." However, this is not enough. According to Secure Data Recovery, data emptied from the recycling bin is not permanently deleted – at least not right away. The computer simply deletes the pathing and labels the information as "free space," meaning that it can be overwritten by new data.
For all intents and purposes, data deleted from the recycling bin is gone, at least as far as the layperson is concerned. Those with computer programming and specialized skills or software, however, can recover the information and restore it. If you've ever done a search for "data recovery" – you will see that these skills are not in short supply.
Yet companies make this mistake all the time. A survey conducted by Blancco found that almost half of all hard drives carried at least some residual data. The same was true for over a third of smartphones. Files such as emails, photos and sensitive company documents were recovered from these devices. To securely delete files requires a more thorough process.
The University of California, Riverside defines data sanitization as "the process of deliberately, permanently, and irreversibly removing or destroying the data stored on a memory device." Sanitized data drives typically carry no residual data, even with the aid of recovery tools. However, this solution often times requires additional software that will erase and rewrite information multiple times.
Companies have a wide variety of options to choose from when it comes to securing data sanitization software. Microsoft even provides an in-house solution in the form of its tool, data eraser – which has been optimized for PCs and tablets. It's important to remember that different types of data drives will only be compatible with certain software.
Given the sensitive nature of the material in question, companies should only choose data sanitization software from trust organizations.
When physical destruction may be needed
However, for some kinds of data, sanitization may not be enough. This can be regulated by internal business policy (such as placing employee payroll information as the most sensitive data) or by government laws like HIPAA – which mandate time-effective data destruction.
In this case, the storage device matters more. Hard disk drives, commonly found in computers and servers, are the easiest to destroy as they operate on magnetic fields. A hard drive degausser can permanently alter these fields, leaving the device completely unreadable.
Solid state drives and flash media are more difficult. Their data storage is circuit-based, rendering a degausser ineffective. These drives should be shredded or destroyed by quality equipment expressly designed for the task. Hard drive data can be recovered after improper destruction, even in extreme cases. ComputerWorld reported that data was restored from the wreckage of the Columbia space shuttle tragedy, illustrating the hardiness of certain drives and the effectiveness of professional data recovery tools.
Safely disposing of data is no easy task and innovations like the internet of things have made it more difficult. Cybercriminals may be developing more sophisticated ransomware but they are also still routinely diving in dumpsters and scoping out secondhand stores for improperly deleted data. Make sure your company is taking the necessary steps to avoid data madness.