For IT assets with hard drives, extending the life of hard drives by switching from physical destruction (shredding, degaussing, mutilation) to erasure or wiping is the only way to securely preserve the hard drive and extend the usable life of the asset.
Hard drive manufacturers recognize the need for extending the useful life of drives:
The case for HDD/SSD data erasure: talk tracks to help you gain ground
How can you convince (cajole, prod, push, pull, drag) the stubborn (unwilling, old school, disinterested, couldn’t be bothered, shred or die) that your company’s IT devices can be a part of the movement toward longer lifecycles and increased reuse? And, along the way, profit from higher ROI and achievement of ESG goals?
We’ve put together several talking points that you can make your own to increase the reception and frequency for data storage erasability into your IT asset management practice.
1. Embrace the silence
Some people really need that noise of shred. That chomp, crackle and grind of hard drives and SSDs being ripped to shreds visibly and audibly confirming destruction. Erasure by contrast is quiet without that loud, physical, tangible pile of junk at the end.
2. Don’t assume your shredding process is being executed correctly
We see SSDs thrown in the same bins with hard drives at customer sites all the time. WE know that the SSD will not be securely destroyed because the data media is just too small for the big teeth of a hard drive shredder. Jonmichael Hands, of the Circular Drive Initiative (CDI), a partnership of technology companies promoting the secure reuse of storage hardware, warns in a recent BBC article, “The irony is that shredding devices is relatively risky today. The latest drives have 500,000 tracks of data per square inch. A sophisticated data recovery person could take a piece as small as 3mm and read the data off it.”
3. Trust third-party forensic testing
Use disk wiping products from vendors who are certified and forensically tested and verified by third parties. The verification file stating that the software did what it did is actually stronger evidence than a pile of shred and the document cannot be tampered with. From the Financial Times, “experts are adamant that conventional drives can be securely wiped and reused, a practice that first emerged in the early 1990s but that has only gained significant traction over the past decade. “Saying we have to shred because it’s the only thing that’s secure is a miscalculation,” says Fredrik Forslund, vice-president of Blancco, a company that makes wiping software. Forslund describes shredding as “an absolute disaster”.“
4. Do the calculations
Even if you’re not environmentally focused it’s impossible to avoid the cold mathematical benefits of extended use for electronics. As the Financial Times describes: Julien Walzberg, a National Renewable Energy Laboratory (NREL) Researcher “found that reusing a hard drive avoids four times as many carbon dioxide emissions as slicing it up and feeding the pieces through even the best imaginable recycling processes when both scenarios are compared with current recycling.”
5. Get out of the (IT) stone age
If you’re following a protocol from 1995 (we’re looking at you DOD) or even 2014 (NIST) even you have to admit that A LOT has changed since these were carved in stone. If you don’t know where to start, look toward IEEE which writes and updates standards regularly based on modern technology. This Forbes article says it all: IEEE 2883 Standard On Data Sanitization is a path to storage reuse and recycling.
6. Build a wall
We jest but…not really. Are you using a hammer and wood to build a fence for your cybersecurity to keep the bad guys out? Of course not. 100% of the time, cybersecurity defense is in the form of software implemented by experts. So, why do you trust software to keep your data safe from outside attacks but not to erase the data from storage devices that are coming out of production?
7. Create a risk assessment matrix
Look at your organization chart and see what drives your eMedia data destruction policy and processing. Which IT assets hold less risky information? Is it by department? By owner? By value? Start your erasure program with an evaluation program to generate measurable results that you can build on.
8. Clarify the (big) difference between deleting files and data erasure/wiping/overwriting
There may be some legacy thinking that erasure is the same as deleting files. Deleting files (one or all) is a simple process where all the files are labeled “garbage”. Not gone, erased or overwritten. Definitely NOT a secure data destruction process. Erasure, using third-party, certified software removes or overwrites the data completely without any chance of recovery. Even the garbage can is emptied and blasted away. Very secure.
(Another tip: Reformatting isn’t erasure either. Reformatting deletes all the files but the data may be recoverable so it is not a replacement for secure erasure.)
Related: Stellar’s BitRaser blog goes into lots more detail here >
9. Channel your inner George Michael and have some faith (no dancing required)
Companies of all sizes, industries and security level, successfully delineate between appropriate to shed and appropriate to erase. Wiping takes a little bit of faith in the professionals who do this all the time and reputations depend on it. In our view, if you’re using the right products, the right procedures, and it’s documented with a certificate at the end, these products will provide one hundred percent security.
10. Consider factory resetting for firewalls, routers, switches, hubs and remote access controllers
People don’t even know that they should be thinking about a factory reset at all because it’s not on their checklist of IT assets that hold data. Factory resetting is a secure alternative to shredding entire boards (and therefore nullifying the device completely) that contain IP and access data that you do not want out there in the wild.
Learn more about Guardian’s factory reset services >
Related: A guide to factory resets >
11. Get blown away by the chain of custody, reporting, documentation
Every erasure vendor differs slightly in their reporting but they share a lot in common in their certificate of erasure: a complete identification of the memory device including make, model, serial number, RAM, method of erasure and status of erasure. Everything. Significantly more than any shredder or degaussing machine produced.
12. Talk to a third-party, nonpartisan, professional data destroyer
At Guardian we provide data destruction services that fit every company, every industry whether it’s 20mm shredding or 2mm shredding, degaussing to meet government requirements, remote erasure for offsite workers, factory resets for routers, firewalls, switches, hubs and remote access controllers and HDD and SSD (all varieties) erasure. Whether you shred or erase, we are happy to walk through the benefits of developing a hybrid program that eases you into a higher ROI and ESG. Or, talk to your ITAD, VAR, TSP, MSP or reseller. These are professional resources available to help you make a smart, secure plan.
13. Survey your colleagues, department heads and stakeholders “Is reducing our carbon footprint something we care about?”
The reason Corporate Governance (CG) and Environmental, Social and Governance (ESG) policies are popping up all over is that companies either care intrinsically about being better stewards or they’re realizing that their customers and investors care. IT company Dell found that manufacturing accounts for half of the carbon footprint of one of its servers, accounting for energy-related emissions from four years of use. (The Financial Times) Whatever the stick or carrot is, your interest may kick off more support for an erasure versus shredding conversation.
14. Be a surprising contributor to ESG and CG
Erasure benefits versus shredding are numeric, quantifiable and provable. A small step in erasure and reuse or resale could really contribute to the bottom line for both ROI and ESG programming. Once you show the numbers and prove the security, get ready to double down.
15. Go pro and breathe easily
If you’re unsure of what to do, work with professionals. The risk of making the wrong move, whether it’s shred or erasure, is just too dangerous. Always ask for a NAID AAA Certified electronic data destruction provider, NIST-approved equipment, full documentation, verification and chain of custody on every IT asset. And use the industry leaders for erasure software: BitRaser from Stellar, Blancco and Extreme Protocol Solutions.
You are not a trendsetter (but you’re part of a good trend)
Fifteen years ago, Guardian Data Destruction got its start doing a huge onsite erasure project for AT&T. Secure erasure has been around for a long time and it’s become more robust with all types of checks and balances built in to ensure data security and assure the skeptical.
If you are ready to take the lead on ESG and ROI programs at your company using a secure, planned data storage erasure plan, document how you do it and present the data to your organization. Don’t be afraid to start small with a test case and involve multiple stakeholders to ensure that any gaps are filled and questions are answered.
Guardian, your ITAD, VAR, TSP, MSP and resellers are invaluable resources of information and will lean on their data destruction experts and providers for strong recommendations and program design solutions.
Have a question about building your own case for erasure mixed in with shredding for data disposition?
Here’s an IT Asset Manager’s Guide for Building a Hybrid Data Destruction Process.
Dig into ESG! Environmental, Social and Government.
Hard drive data erasure services best practices.
Hard drive shortage solution: the switch from hard drive shredding to hard drive erasure
Further reading: ”Why Big Tech shreds millions of storage devices it could reuse | Financial Times (ft.com)” and IEEE 2883 Standard is a Path toward Storage Reuse and Recycling
