IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Weapons of mass data destruction

What's the best way of securely disposing of your enterprise's sensitive data? Davey Winder investigates...

Whether you opt for in-house or outsourced disposal, you should by now have realised it really is imperative procedures for the secure disposal of data, including the hardware upon which that data may reside, are included as part of your enterprise information security policy.

 This cannot be overstated, and that policy should form the base for all data erasure and hardware disposal procedures. It is also essential, as nicely highlighted by the NHS Surrey case we previously mentioned, that data erasure and hardware destruction are not treated in isolation.

If the company doing the disposal had followed a documented process of logging actions as they were performed,  and had first erased the data and then destroyed the hardware, that Trust would have been 200,000 better off.

 While it is a given that implementing a method of secure data erasure and physical destruction of the drive in combination is going to provide the most reliable method of permanently disposing of data, we cannot state categorically that this is the most sensible option for everyone.

Common sense must prevail.  While all data may be equal when it comes down to bits and bytes, when it comes to data value, then some is more equal than others. It is essential, therefore, that any data disposal policy includes a method of classifying data and categorising it in terms of confidentiality and value.

Government bodies use a system of Impact Levels that classify data as being from IL1 through to IL5, and the disposal methodology varies according to the classification it bears. This may sound a little secret squirrel for your average company, but the principle is perfectly logical.

There is no point hiring a van with an industrial shredder on the back (yes, they do exist) that will all but disintegrate any drives thrown through it if the data involved could be safely degaussed or overwritten to prevent it being read when the drive is reused.

The cost efficiency side of data destruction shouldn't be overlooked either. If your data can safely be erased without a regulatory requirement for the drive it was sitting on to be vaporised, then it makes sense not to destroy it.

After all, a computer with a functioning hard drive has a greater resale value on the second hand market if you take that route with old equipment, and a functioning drive can often be repurposed within the business as well.

Finally, ensure your data disposal policy is kept up to date and covers all bases. By that we mean an end-of-life policy must consider all methods of data storage from desktop and LAN drives through removable media, mobile devices and the cloud. The latter will, of course, open up a whole new can of regulatory and practical worms, but that's an IT Pro story for another day.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022