One of the biggest risks to businesses in terms of IT infrastructure is one in which occurs after hardware has left the organization – which leaves it unrecognised and often forgotten. This is the risk of data being left on data-bearing devices once they are no longer used by the business. Sensitive data, if it gets into the wrong hands, can lead to a leak of information, reputational damage to the business, and heavy financial penalties if legalities are breached.
There are many different types of data destruction, each suited to different devices and data types. At Procurri, we offer a full service ITAD (IT Asset Disposition) service, with data destruction services that guarantee that no data is retrievable from any device that we process.
Why Data Destruction Matters
When electronic devices are handed over to ITAD providers, they should have endured a full data sanitization process, to ensure that any data remaining on the devices has been wholly erased and cannot be retrieved or accessed – whether by new users of the same equipment, or of those using recycled materials from them. Decommissioned laptops, servers, and storage devices can still hold vast amounts of recoverable data, making end-of-life IT assets a persistent breach risk.
Some ITAD providers offer data destruction services for data-bearing devices, but in many cases, organisations either simply just delete files, complete a factory reset or simply hand over their electronics without considering what it includes at all. None of these courses of action constitute proper and thorough data destruction, and in many cases, sensitive information can be restored with the use of simple software tools. As such, every time a data-bearing device leaves an organization, it could be a target for a data leak.
Businesses hold a legal and regulatory responsibility to protect data they process – even if it is held on a device no longer being used by them. Frameworks such as GDPR, ISO/IEC standards, and increasingly rigorous customer audits demand provable, auditable data sanitisation practices. A failure to do so can result in heavy financial penalties. For example, in 2020, British Airways was fined £20 million under GDPR after a cyberattack exposed the personal and payment data of more than 400,000 customers. Regulators found inadequate security controls, demonstrating how failures in data protection can lead to severe financial and reputational damage.
It is imperative, for businesses, their customers, suppliers and stakeholders, that sight is not lost of data responsibilities even as hardware reaches the end of its practical or functional life within an organization. What’s more, they must ensure that whether they or an ITAD provider is completing the data destruction, that the most appropriate method is used; based on risk, compliance, and operational reality.
What is the Definition of Data Destruction?
Data destruction, or data sanitization, refers to the process of permanently removing data from IT assets so it cannot be recovered for any use – with malicious intent, misuse, or otherwise. It processes data further than standard removal to ensure that information is rendered completely unreadable and irretrievable.
The method used may be logical or physical, and once completed, undergoes a verification process to confirm it has been completed correctly and wholly.
Logical data destruction uses software to overwrite data, whereas physical destruction involves shredding, crushing, or degaussing storage media.
Types of Data Destruction: Data Wiping
Data wiping is a secure data sanitisation method used to permanently remove information from storage media by overwriting existing data with something else. This leaves the data entirely irretrievable, so sensitive information cannot be reconstructed using forensic tools. Most commonly, data wiping is used when organizations want to reuse, redeploy, or resell IT assets without risking data breaches.
Data Wiping: How it Works
Data wiping is software-based and works by overwriting the data stored on a device. The software identifies the data and writes new data over every accessible part of the drive. The overwriting can either be random patterns or predefined sequences, and sometimes multiple of them. Historically, data wiping layered patterns and sequencing on top of each other to make data as difficult as possible to recover; particularly on HDD (Hard Disk Drives). However, today with more modern storage devices, only fewer passes are used, but with verification tools used in conjunction with them.
Data wiping is used on HDDs, solid-state drives (SSDs), and mobile devices, although SSDs and flash-based media require specialist tools due to wear-levelling and hidden memory areas.
Data Wiping: Accreditation
Many wiping tools align with industry recognised standards such as NIST SP 800-88, which defines levels like “Clear” and “Purge” depending on the sensitivity of the data and the risk profile. Verification and reporting are critical to demonstrate compliance and provide audit evidence. Procurri’s data wiping services are all NIST certified.
Data Wiping: Pros and Cons
Data wiping is considered cost effective as a data destruction method, particularly compared to physical destruction methods across large volumes of equipment. Data wiping can be extremely effective and still allow businesses to recover value through redeployment or remarketing, and to reduce electronic waste by extending device lifecycles.
However, there are all several scenarios that data wiping is not relevant for. Damaged or malfunctioning drives may not be wipeable, and some encrypted media cannot be reliably overwritten. In the cases of more modern SSDs and mobile devices, some OEMs (Original Equipment Manufacturers) lock their hardware to require manufacturer-specific or specialist tools to ensure complete sanitization.
It is critical that devices subject to data wiping must be properly verified once complete. Without validation, organisations risk non-compliance.
Types of Data Destruction: Degaussing
Degaussing is a data destruction method that permanently removes information from magnetic storage media by exposing it to a powerful magnetic field. The word ‘degaussing’ originates from the word ‘gauss’. A ‘gauss’ is a unit of magnetic measurement. Degaussing is primarily used for HDDs and magnetic tapes where the highest level of data security is required.
Degaussing: How it Works
Degaussing works by subjecting magnetic media to an intense magnetic field that disrupts the alignment of magnetic domains used to store data. Once these domains are neutralised, the original data becomes entirely irretrievable and unrecognisable.
A degausser generates a magnetic field strong enough to erase the magnetic patterns on a storage device. This field effectively randomises or neutralises the magnetic domains, destroying all stored data in a single operation. In most cases, the process also erases critical servo tracks on HDDs, which are essential for drive functionality.
Degaussing: Accreditation
The process of degaussing is subject to a variety of recognised standards that are applied to the equipment that completes it. This includes accreditation such as NIST, ADISA and NAID AAA.
Degaussing: Pros and Cons
Unlike software-based data wiping, degaussing does not rely on accessing or overwriting data and therefore does not require the drive to be operational. This makes it particularly suitable for highly sensitive data destruction scenarios. One of the main advantages of degaussing is its extremely high level of effectiveness for magnetic media such as HDDs and backup tapes. It provides a high assurance level, making it suitable for classified or highly confidential data. The process is also very fast, allowing large volumes of drives or tapes to be destroyed in a short period of time.
This said, degaussing does have some limitations. It is not suitable for SSDs, USB flash drives or non-magnetic storage media, as it simply wouldn’t work. Degaussing permanently destroys the usability of the drive, meaning assets cannot be reused or resold. Additionally, degaussing equipment is expensive, resulting in a higher cost per unit compared to data wiping. Specialist handling, trained operators, and certification are often required, adding to operational complexity – all of which are offered by Procurri.
Types of Data Destruction: Shredding
Shredding is a data destruction method that permanently eliminates information by physically destroying storage media into small fragments. It is a physical process that ensures no data can ever be recovered under any circumstances. Shredding is suitable for a wide range of hardware types, including HDDs, SSDs, mobile devices and magnetic tapes.
Shredding: How it Works
Devices are physically destroyed using industrial-grade machinery that reduces the material to fragments. In doing so, both the hardware itself and the data within it are irreparable.
Shredding: Accreditation
Industrial shredders are used to break down storage devices into particles of a defined size. The required particle size is often dictated by regulatory standards, industry compliance requirements, or client-specific security policies. Smaller particle sizes provide higher assurance levels, and depending on the sensitivity of the data held on the equipment, may be the most appropriate course of action.
Shredding: Pros and Cons
Shredding offers the highest level of data destruction assurance available. The process is simple to explain and verify, making it ideal for audits and regulatory scrutiny. By physically destroying the media, shredding completely eliminates the risk of data recovery.
This finality means that shredding is only suitable for hardware that is truly at the end of its workable life and cannot be recycled or refurbished in any way.
Deciding on a Data Destruction Method
When disposing of IT hardware, it is imperative that the most appropriate method is chosen, dependent on:
- The next course action intended for the hardware
- The sensitivity level of the data held on the hardware
- The type of hardware or media device
- The budget available
- Regulatory and legislative requirements
To learn more on which option could work best for your business and its ITAD requirements, speak to the experts. Request a callback from Procurri now and embark on the safest and most sustainable ITAD journey possible!
