Beyond Recycle Bins: Safeguarding Information with Secure Data Disposal

Santosh Kamane
, Co-Founder and CEO
, CyberFIT Solutions

Data is the oxygen for digital world.

Technology has evolved immensely in last 20 odd years. From large mainframes to desktop computers, laptops to smartphones, data centres to cloud, tablets to smart watches, google search to ChatGPT , we have really come a long way. These technological advances are now difficult to catch up with due to its rapid evolution.

However one thing that has remained backbone of entire digital world is “Data”. Would the technology still be effective if there was no data? Without data, these technologies would not address any business problems. The definition of data per Wikipedia is “In the pursuit of knowledge, data is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted” . Further, when you have a meaningful or valuable data, it can be labelled as “Information”. This clears the reason why information (or data) security is so important today. Your personally identifiable information, piece of source code, design documents, trade secrets are valuable and can have a impact if stolen or lost. The impact could be a financial impact, reputational impact, or even a legal or regulatory impact.

 

Data Lifecycle

Like every process, data has its own lifecycle. Data is created, acquired, collected in many ways by organizations. Without data, no business process would take place. If we do not protect this data at each lifecycle, it may lead to severe risks. The illustration below covers the various data lifecycle stages. This broadly applies to all organizations across all sectors.

For example:

Data Collection — The more and unnecessary data you bring in, you carry more risks. Today most privacy regulations mandate minimum, necessary data collection for data processing.

Data Sharing — If you share your sensitive data without appropriate controls such as encryption, authentication etc., can you really assure its integrity and confidentiality?

Data disposal — Of all the data lifecycle stages, data disposal is the one where organizations tend to either adopt poor or weak practices. Lets cover this a little more.

No Data Disposal — Risks? Too many !!

When you delete or format your data, it hides it from operating system’s view. Though it gives the perception that data is deleted, it still can be recovered. Today there are advanced data recovery tools which accomplish this purpose. The key risks due to inadequate data disposal are:

  1. Your data is exposed to malicious actors or cybercriminals. Your data could be PII, customer files, IP , trade secrets and so on
  2. Non compliance to information security standards
  3. Non adhering to privacy regulations requirements – Right to erasure
  4. Regulatory penalties
  5. Last but not the least, and most importantly, reputational risk. Can you afford to lose consumer trust built over years due to a security incident that could have been easily prevented at extremely low cost? An example is Morgan Stanley.  Read Morgan Stanley fined $35M for disposing data without wiping

 

Data Disposal — How is it managed today?

For confidential paper information, today we use a shredder as and when needed. It shreds paper into smaller pieces so the information can’t be reconstructed again. This not only protects information from leakage, but assures you piece of mind.

Does the same risk apply to digital or electronic data? Yes!

Today most of the organizations are not following secure data disposal practices. So what is the risk here ? Lets understand.

Delete or Format — If delete or format is your primary and only disposal method, your data can be accessed, stolen, misused by cybercriminals. This data could be your customer files, intellectual property, design documents, trade secrets and so on.

Physically Destroying or degaussing hard-drives — Physical destruction may be a better control but can it be your primary means of data destruction? Its been a traditional idea to destroy the physical asset that holds the information, so you leave no scope for recovery. However, there are multiple challenges here:

Third party engagement — Cybersecurity is heading towards zero trust philosophy today. Can you handover your hard-drives with sensitive data to third parties (without due diligence) to either degauss or destroy ? Morgan Stanley was asked to pay 35M as a fine due to data leakage. Like mentioned earlier in the article, the risk is too high when data is stolen or leaked/breached.

E-waste — When you physically destroy your assets, aren’t you essentially contributing to e-waste? Can these assets not be repurposed if data wipeout is assured?

Destruction before End Of Life — The hardware assets have a price tag and life. If you destroy hard-drive after use of 6 months as it holds sensitive data, can you convince your CFO on the ROI?

 

Data Disposal — How can it be handled?

The following illustration describes a best practice for safe and scure disposal of information.

  1. As an organization, know how your data tranverses through its lifecycle in the organization. Based on the risk profile and regulatory requirements, build your data retention as well as data disposal policy.
  2. Use a software secure wiping tool for secure data disposal. Select a tool which is enterprise grade with built in policy compliance, and the ability to securely erase files, folders, and drives.  Some tools include a scheduler to automatically wipe your drives.  Most importantly select a tool which provides a certificate of data destruction, in NIST format, that you can use as an artefact during audits.
  3. Frequently wiped data that’s no longer necessary is on unsecured devices. Data such as customer KYC forms, PII data, data received through emails, source code, and internal document should not be on your laptops or end user devices. Enforce a policy to erase them.
  4. Before handing over any asset to contractors or third parties, make sure its securely wiped clean.
  5. As a secondary supporting control, if policy permits, devices can be physically destroyed.
  6. Periodically review your data retention policy and make sure you comply with requirements in regards to securely wiping data to support “right to erasure” demands of consumers.

 

Final thoughts

In a nutshell, today, data is scattered everywhere in the organization. It needs to be protected during all stages and controls can’t be relaxed ,especially during data disposal stage. Be the organization that provides assurance to customers that data is safe until its disposal. Dont just delete it, wipe it out.

Latest posts

Related posts

Discover more information