Hard Drive Shredding is NOT Enough

With 1.5 million workers now working from home, data security risks have risen exponentially. Too often, hard drives and devices are left to pile up in the back of a non-secure, almost forgotten closet after remote worker equipment is returned for a replacement or upgrade. In addition, security teams, commonly operating with skeleton crews, are wondering how to properly dispose of all that decommissioned equipment filled with confidential, proprietary and even top-secret data.

First and foremost: Know your industry data regulations and which apply to your organization. Numerous regulatory entities create laws and regulations addressing data breaches. Here is a link to the most common https://garnerproducts.com/compliance-regulations/overview.

All of these regulations have a common thread: to protect the privacy and sanctity of consumer information in all forms. While the method of data sanitization is not always clearly defined, best practices among the regulators indicate three steps: 

1.     Completely erase the hard drive of all data

2.     Physical destroy the hard drive

3.     Maintain verified proof of data erasure and destruction

Complete Erasure.

As I noted in my previous articles on the inadequacy of overwriting, a National Association for Information Destruction (NAID) study released in March 2017 found that 40 percent of used electronic devices sold on the secondhand market contained personally identifiable data. 

Usernames, passwords, credit card data, tax details and contact information were found on used hard drives, mobile phones and tablets that were analyzed in the study. The recovery process used to identify data on more than 250 devices required no advanced forensic training.

To ensure this does not happen, the National Security Agency (NSA) requires complete data erasure with a process like degaussing as the only sure way to guarantee that all of your data has been erased. Degaussing doesn’t rely on the software or operator to decide what data is sensitive. Degaussing does not leave any data behind. Degaussing erases the entire hard drive working or not, in less than one second by encompassing it with a strong magnetic pulse. Degaussing erases all data to the highest security level and only takes seconds to complete. The degaussing process can be laboratory tested and verified. Degaussing is an approved method of erasing TOP-SECRET data by the NSA.

hard drive degaussing is safer than shredding

Physical destruction

Although physical destruction of a hard drive is not necessary after it has been degaussed, hard drive erasure can be followed by a method of physical destruction to visually indicate the hard drive has gone through a complete data destruction process, this can be accomplished by using a crusher, bender or shredder. 

Despite what you may have heard, shredding alone is not complete destruction. Shredding only physically alters the size of the hard drive.  It is important to recognize, data can and is recoverable from “shredded” disk fragments. 

The NSA shred requirement is a 2mm² particle size, the size of the thickness of a pencil lead. To meet that requirement, you need a shredder/crusher/disintegrator that can achieve a 2mm² particle size.  

But even a 2mm² disk fragment still contains retrievable data, as you can see in the graphic below.  A 2mm² disk fragment is the paper equivalent of 32 pallets of paper, which is 12,795 reams of paper. Because of this, shredding alone is not complete data destruction.

Shredding isn’t easy or environmentally safe

Mechanically reducing a hard disk drive (HDD) to a 2mm² particle size requires a huge machine that is expensive, loud, takes a great deal of power and produces significant amounts of dust into the surrounding air. Not a solution that lends itself to a data center or office.  

By contrast, degaussers are small (about the size of a CPU), light-weight (ranging from 35-105 lbs.) and can be carried or rolled into an office, data center or warehouse.  A degausser plugs into a standard wall outlet and takes seconds to complete a cycle.  Degaussing is also environmentally friendly; it does not physically alter the external appearance of the hard drive allowing the degaussed hard drive to be recycled.  

Verified Proof of Erasure and Destruction

Documented proof of destruction is a necessity in our litigious society. How do you prove that your data destruction process meet the standards and regulations of your industry? Garner is the only degausser manufacturer that offers an automated erasure and destruction verification system called IRONCLAD. IRONCLAD takes JPEG images of the media before and after it is degaussed; verifies the destruction process was successful; and generates a record of erasure and destruction for audit and archival purposes. The information is preserved in an exportable IRONCLAD Erasure and Destruction Certificate. 

Summary

The bottom line: Shredding is not enough. Shredding is an analog solution to a digital problem. Shredding remains an industry approved method for the destruction and disposal of paper, but in this digital world of hard drives and data storage, it is an insecure, inadequate and outdated method of data destruction.  

 Today, your company needs to securely dispose of magnetic storage media.  Modern HDDs are written at 4 Tbits/sq inch — an unimaginable density. A 2mm² particle of such a drive contains 6,397,638 pages of data. Shredding alone will not protect your organization from data breaches. True data protection is a reality only when you degauss, destroy and verify.

Garner Products is a nationally recognized leading manufacturer of NSA/CSS EPL-Listed data destruction equipment. Garner offers a full line of degaussers and destroyers from office-quiet desktop units to equipment for top secret data elimination. Learn more about Garner Products at GarnerProducts.com