3 Ways to Securely Destroy Data and their Associated Pains
Written by Simon Kang and Daniel Chung
Before disposing or reusing old company computers, it is imperative that data be securely destroyed in order to prevent leakage of corporate information. It is common knowledge that the computer’s deletion function as well as formatting does not completely wipe data. Most companies utilize one of these three methods for securely destroying data: Overwriting, degaussing, and physical destruction.
Disk overwriting is a data destruction method that uses software to overwrite data a certain amount of times using a specific number (such as “0”) or a series of randomly generated characters. Many of these solutions utilizes global standard algorithms such as DoD 5220.22-M or Guttman which can overwrite the area multiple times.
This solution are generally difficult for the average user because it often requires some sort of setup at the system level usually via a BiOS setup and an additional booting device (usually a USB or CD). Disk overwriting is seen as a secure, eco-friendly, and cost effective way to wipe data since drives can be reused in a safe manner. There is no need to remove disks from their machines but disk overwriting usually takes hours to complete. Also, the only visual confirmation of deletion is the log or report that is generated after the wiping has complete.
The solutions vary from freeware all the way up to enterprise-class solutions and the recommended solution and algorithm may differ according to how important or confidential the stored data may be.
Deguassing is the process of decreasing or eliminating the magnetic field on storage media. This process is incredibly fast as it takes less than a minute per hard drive. Generally, the disks have to be removed from the machine and hand fed into the degausser and the disks cannot be reused afterwards.
Degaussers can be fairly expensive with prices ranging from 10,000 USD to almost 100,000 USD. It is important to make sure that the degausser is always functioning properly or it could potential pose a security risk because feedback from the machine is the only way to discern whether to the process has been completed since there is not physical change on the disk.
Physically destroying the hard drives by using a hammer, a punching machine, or an industrial shredder is probably the most secure and sure-fire way of destroying data. The destruction process can be seen firsthand unlike in the degausser and disk overwriting methods.
Drives must be physically removed from the machine and cannot be reused afterwards. A dedicated and possibly separated space may be required since some of the machines can be fairly large and disruptive to an office environment.
Many companies actually outsource the secure data destruction process to third-party companies because of the associated manual labor and since it is likely not a part of their core business. Companies would rather not want to spend time, human capital, and physical space requirements to perform the data deletion if possible.
Meanwhile, companies that opt to use a third-party service can often be left feeling anxious or concerned that disks may be missed during transport or during the destruction process. In order to relieve some of the anxiety, some data destruction services will provide pictures or videos of the process and other may even provide destruction services onsite and then ship the destroyed drives out from the office for disposal.
It seems that companies tend to prefer degaussing or physical destruction in comparison to disk overwriting, despite overwriting being acceptable in most cases. This trend is most likely attributed to the definitiveness and speed of destruction. But, generally, drives can be left vulnerable during transport and it is safest to perform the data destruction without ever having to move a machine if possible.
Recently, some companies have adopted a hybrid data destruction method where they combine overwriting and physical destruction. Drives would be overwritten without having to remove or move them, and detailed logs and reports can be generated. Then, the drives could either be reused or sent to an outsourced data destruction service for safe disposal. Companies can actually reduce the associated risks of using a third-party data destruction service, effectively destroy data while still being able to possibly reuse or recycle old drives and computers. The “hybrid method” is probably the most secure and eco-friendly of them all.