Weapons of mass data destruction

Features
By Davey Winder
published

What's the best way of securely disposing of your enterprise's sensitive data? Davey Winder investigates...

Indeed, a recent study by the company looking at the methods used by companies to erase data showed that 60 per cent of computers discarded by businesses still contain data when moved onto the second hand market for sale.

This comes as no real surprise, not least because small companies don't have the luxury of a dedicated IT department or the budget to outsource data disposal requirements meaning most will take a DIY approach to this issue.

This is not necessarily a bad thing, and there is no reason why data disposal cannot be carried out securely in-house. However, all too often there won't be any mention of data disposal methodology and process in the IT security policy document. Heck, there may not even be an IT security policy document.

As such there is unlikely to be any procedure in place for the proper logging of hardware or the certification of secure disposal, for example. If that weren't bad enough, with costs always at the forefront of the minds of small business owners, the chances are a resident 'IT expert' will be tasked with using a freeware data erasing utility.

There is nothing inherently wrong with such software, assuming you have researched the market and chosen wisely, but the application of such a utility requires a lot of knowledge to be successful.

Freeware isn't always the cheapest option when you start taking into account the requirement to research, understand and document what you are doing.

An understanding of the technology and the hardware is required. If you have drives that allow data to be stored in Host Protected Areas or Device Configuration Overlays, for example, which have been around since the introduction of the ATA-6 standard, then your erasure software may not spot these hidden partitions contain data.

When it comes down to cost, freeware isn't always the cheapest option when you start taking into account the requirement to research, understand and document what you are doing. This is especially true as you move further up the SMB scale. For example, the more equipment you have, the less money will be saved by tackling data disposal in-house.

IT Pro isn't aware of any freeware that can support multiple devices on a LAN or in an array that comes suitably certified and documented. If you do, feel free to let us know.

The ability to produce 'erasure verification reports' shouldn't be overlooked, especially if there is a chance your enterprise may require a legal compliance audit or the kind of data you process could lead to a lawsuit if it were found to have leaked out of the company.

Davey Winder
Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.