With increasing rates of cybercrime and large penalties for data breaches, the protection of sensitive data is a challenge for the majority of businesses. It can be difficult to comprehend the scale of the average company’s data footprint. Today, organisations must manage desktops and laptops, multi-disk servers, and tape backups as well as mobile devices, memory cards, virtual environments and cloud deployments. It’s more important than ever that organisations manage every detail of their data securely – and in compliance with regulations - not just in storage and transit, but also at the end of its lifecycle.
When data erasure operations are not completed or properly carried out, sensitive and confidential files may be left behind on devices. Organisations are put at risk of a data breach or theft, when intellectual property, private documents, and email, as well as financial and health records, and other critical information are not securely wiped from storage media. Having the correct processes in place will not only protect organisations from potential data breaches but will also ensure they’re adhering to international standards.
What is the secure sanitisation of data?
Decommissioning, disposing or reusing your IT assets currently represents one of the most vulnerable moments for your data. Most companies don’t take appropriate precautions for the retirement of each PC, mobile device, server or other electronic devices. In the case of retiring legacy IT infrastructure, all information (including personal data) will remain completely visible and accessible to anyone who has access to that hardware if it is not sanitised or destroyed correctly.
Many people believe that native deletion options, such as the use of the ‘Delete’ command on a selection of files, choosing to ‘Empty Trash’ or ‘Format’ the drive are all secure sanitisation solutions, capable of eliminating all traces of deleted files quickly and permanently. Unfortunately, the fact that the content is no longer visible does not necessarily mean that it is no longer present on the storage media system. Commands such as those only delete the pointers to the operating system where your files are located.
Imagine you are browsing through a book. Just because you get rid of the index, it doesn’t equate to the deletion of the contents. If you ‘search’ through it, you won’t have any trouble finding what you are looking for. Data sanitisation is essential; it’s different from the simple act of deleting file pointers and the contents of the files themselves. In fact, none of the original information on your device is recoverable once it’s been securely sanitised. Returning to the example of the book, it is as if by removing the index, all the pages of the chapters in the book are also deleted.
Overwriting is a technical measure for the secure sanitisation of data. It eliminates not only the pointers to the files but also the files themselves. Securely sanitised data is no longer present on the media itself, and cannot be retrieved, not only with the use of specific software but also by data recovery specialists.
The secure sanitisation of data is not a choice but a necessity
The sanitisation of data, rather than being perceived as only required by law, should be adopted as best practice for the protection of data held by the company, regardless of the type of business. Protecting the personal information of customers, suppliers, and employees is ultimately a best practice rule; as is protecting confidential data related to the business such as intellectual property rights, development projects for new products, and accounting information, etc.
Many organisations have taken the protection of information and sensitive data; according to MarketsandMarkets, the global cybersecurity market is booming. Cybersecurity-related spending is on track to surpass $133 billion in 2022, and the market has grown more than 30x in 13 years. However, all investments and information stored within protected IT systems become insecure if you ignore adequate security as soon as the hardware is discarded; leaving the existing data vulnerable. Protecting personal data and digital information doesn’t mean it has to be a burden on your existing IT procedures but rather an investment in security for the benefit of the company and to protect those who interact with it.
Devices subject to sanitisation
Devices subject to data sanitisation requirements include computers, desktops, laptops and servers as well as external storage media. It may also include items like network switches, routers cameras and other IoT devices. Any type of storage media containing personal data should be subject to safe sanitisation procedures and should include any device that contains information you want to keep private and confidential. Hard drives, SSDs, flash media of various types and formats, USB drives and magnetic tapes represent only a small sample of media to consider. A relatively new category of storage but an especially critical one is mobile devices.
Smartphones and tablets now offer considerable storage space and are considered standard equipment for most employees. According to data obtained by Statcounter, mobile devices are now more popular than desktops globally. It is therefore imperative when business mobile devices are withdrawn, to include them in the secure sanitisation process. It is important to note that smartphones and tablets contain the same information that you can find on devices such as desktop and laptop computers (e.g. email and documents) and even more data if we consider SMSs, phonebook and call logs.
Don’t open yourself up to risk
The introduction of global data privacy laws has attempted to standardise and update the protection of personal data to face the new challenges of the digital era. It is, therefore, critical that organisations put secure erasure processes in place for end-of-life media that is due to be decommissioned/recycled, but also for through-life data during the regular lifecycle of devices.
For businesses, the easiest way to implement this is to set a budget aside at the time of purchasing any new hardware, and then utilise the service when the device needs to be disposed of or reused. Businesses may also decide to outsource this service to qualified third parties.
Overlooking end-of-life data and the incorrect management of data procedures, including the disposal of computers and IT assets containing personal data can become a serious threat to the security of company information; it also opens the company up to a potential risk for penalties and breaches of privacy legislation, which can cause irreparable damage to the businesses image and reputation.
Philip Bridge, President, Ontrack