Operation: Data Destruction
Kayleigh Bateman investigates why companies are having such a tough time disposing of data and disks safely
Waste not, want not: Disposing of potentially damaging private and business information is a necessary, if challenging task for all businesses.
Many UK firms are still woefully ignorant of the facts of data disposal, with a significant number believing that a single hard-drive wipe will do the trick.
Many do not realise that this is not enough to stop someone extracting sensitive information from the disk and rebuilding a company’s private files from the data.
While the paranoid may even resort to taking a sledgehammer to disk drives to make completely sure that data on them is destroyed, others do not give data disposal a second thought.
Mark Saville, sales and marketing director at online data backup vendor Smartways, said: “There is a lack of emphasis on policies in the UK. For instance, the government loses data and no one carries the can for it.
“Businesses in Europe are archiving because of the need for better storage, not for retention. Organisations are bothered about their operational data to keep the company running but not about compliance.”
Saville said that Smartways has a Business Lifecycle Management service that disposes of unwanted data and supplies an audit and certification of a customer’s data. However, he revealed that the service, launched two years ago, has yet to see any sizable take-up.
“It may be that businesses are not disposing of their data yet, because of data retention periods, or that organisations are just not adopting a data destruction policy,” he said.
Simon Stammers, sales director at document capture company and authorised AnyDoc reseller Formscan, said that while the law laid down strict rules for businesses on how long they should store certain information, there were only guidelines for disposing of data.
“This policy has to be driven by the board of directors and it is down to an organisation to develop its own policy for this,” he said.
HM Revenue and Customs (HMRC) requires all businesses to keep invoices and records of commercial transaction for seven years, but no recommendations have been given for other records, such as HR documents or pensions information.
The lack of retention guidance also leaves businesses at risk of hanging onto time-expired data for fear of deleting it too early.
Stammers said that the Data Protection Act was unclear about whether data should be destroyed or not, advising businesses to satisfy the regulator but also take the approach that was commercially right for each set of documents.
He pointed out that an employee’s pension data begins with a proposal document which may have to be kept for up to 40 years. Over that period the document may have to be captured and sent via email and eventually be part of a business’s large scale migration project.
“How does a business ensure the document’s integrity through different media over the next 40 or so years?” Stammers asked.
He claimed that Formscan’s hosted service ensured data and document integrity by providing its customers with evidence that data is unaltered yet still accessible.
Simon Gregory, business development director at data information management vendor CommVault, said: “Data destruction is no longer just about destroying physical assets hard disks, optical platters and magnetic tapes. With the current focus on effective corporate governance and regulatory compliance, businesses now have to focus their attention on both structured and unstructured information and specifically its retention.
“Most companies today would have difficulty in finding all of the information they wanted to apply retention and deletion policies to, never mind then calculating how much data had been stored for how long, where it physically resided and on what media. He added: “Given this scenario, how can companies then be expected to apply deletion policies across an unknown estate?” Gregory suggested that firms should move all their data to a single structured system to ensure they can control where it is and can delete it when they want.
However, he stressed that practice differed from theory.
“First, we have to consider how many differing applications hold information that we need access to,” he said. “Second, there is no single application that a business runs on in its entirety. Third, there is no guaranteed way of controlling what organisations do with their data backup, archive, copy, migrate, duplicate or replicate.
“Finally, there is the issue of information management. Given data is dispersed across the enterprise on differing media through differing applications and using differing processes, how does a company find it and then delete it?”
Gregory felt that businesses needed to collaborate better with IT departments; otherwise they would be unable to control the volumes and whereabouts of information across their environments.
Companies also needed to define information policies to conform with staff processes.
He said: “Document management systems have helped with the huge push in creating a more
formal process for the filing and ordering of documentation in the form of electronic document and records management systems (EDRMS). Many businesses are looking to provide some structure to unstructured data by deploying EDRMS as a central repository for user-created documentation.”
David Galton-Fenzi, group sales director at distributor Zycko, said: “The lack of awareness surrounding the correct procedures for data destruction is alarming. We see more and more cases on a daily basis which could so easily be avoided if the correct methods of data disposal were applied.”
He said that a significant percentage of old disks that had been “cleansed” of data and placed on the second-hand market contained recoverable data.
Companies need to ask themselves if their business and their reputation can run the risk of precious data falling into the wrong hands, with the distinct possibility of severe penalties for directors, he added.
“The government is not the only guilty party recently,” said Galton-Fenzi. “Many businesses are regularly slipping up on this data-shaped banana skin as well.”
When a failed disk is replaced, businesses may be concerned that the data on that disk has not been destroyed by the vendor. Many organisations have addressed this risk by not allowing disks to be removed from site until they have been sanitised internally.
Galton-Fenzi added: “The Waste Electrical and Electronic Equipment [WEEE] EU legislation, introduced in January last year, is still largely unheard of, with an astounding four out of 10 directors unaware of their new responsibilities. It is now a requirement for all EU producers to safely dispose of, or recycle, any new products they place on the market when they are eventually discarded.”
Zycko’s Pro Asset Management service enables its VARs to dispose of customers’ IT hardware and to offer additional services to destroy any data held on redundant storage devices, thereby eradicating the possibility that a business may find its data compromised once it throws away a storage device, he said.
David Porter, head of security and risk at business technology consultancy Detica, said: “In the old days data destruction was not an issue. When you could not push your filing cabinet drawers back in and had an overflowing pile of papers on top of the cabinet you knew it was time to chuck some out.
“If your storage area becomes full, then it seems you can just upgrade the hard disk or ask IT for more space. However, the problem is that organisations and people are stockpiling huge volumes of data that is well past its sell-by date and is now clogging up corporate systems. Data is the lifeblood of any organisation but only when it is relevant, secure and easy to find.”
Porter said the solution was to bring back the librarian mentality and instill a higher level of data stewardship within organisations.
He said: “At the heart of this is the information management competency centre. Located in the business rather than in IT, this body regulates the demand and supply of information within an organisation and ensures that data is managed as a true organisational asset, not just a collection of bits and bytes.”
David Aitken, managing director of secure data management at electronic equipment disposal service GreenWorld Electronics, said data disposal had become a higher priority and was the responsibility of IT managers.
“Recent high-profile media reports on data catastrophes such as the HMRC fiasco have brought the commercial importance of data management activities into sharp focus in UK boardrooms and clearly illustrate how data management, including its destruction, can no longer be viewed as a low-level responsibility,” he said.
“Failures in a company’s data destruction plan have often arisen from sheer ignorance of its obligations and responsibilities. Indeed, the data security protocols of many organisations are simply not fit for purpose, and companies clearly need further education on how and when to destroy data to safe and acceptable levels.”
Aitken stressed that consistency was key in data management planning and that all organisations needed to commit to an ongoing data management lifecycle strategy.
The management of business data and the responsible disposal of end-of-life IT equipment must remain at the forefront of an efficient and ongoing data management and ethical disposal trail.
Aitken said that GreenWorld Electronics provided an on-site, end-to-end data destruction and disposal service along with an on-site asset reconciliation and lifetime management tracking service.
The service offers users total data destruction and asset disposal integrity, and includes complete on-site data destruction certification prior to the equipment leaving the site.
“I am staggered by the fact that discarded business computers often appear on sale at auctions or on the internet, complete with data that could be highly dangerous if it fell into the wrong hands,” said Aitken.
“Many companies either do not understand the hazards of ignoring the need to eliminate data from their old computers or opt for in-effectual forms of data destruction to cut costs.”
Destroying data by crushing the electronic equipment that stores it can still leave businesses open to fraud, as information can be retrieved from the fragments.
An astonishing 300 pages of potentially sensitive data can be retrieved from just one inch of hard drive, so businesses and individuals should avoid other ‘DIY’ data removal techniques, such as deleting or overwriting files, magnetising the hard drive and manually destroying the drive by smashing it or drilling holes in it.
According to Aitken, there are two formally recognised methods of data destruction: degaussing and disintegration. To be effective, hard-drive disintegration must shred to a maximum of 13mm, while degaussing must be completed using specialist government-approved equipment.
GreenWorld’s Secure Industrial Disc Drive Disintegrator (SIDD) is one of the tools used when initial data erasure has been unsuccessful due to hard-drive corruption.
Aitken said GreenWorld was the only European company that could fully disintegrate hard drives on-site to strict Communications Electronic Security Group (CESG) standards, ensuring complete data destruction and good for all electronic equipment, even secret military assets. GreenWorld also produces an individual SIDD data disintegration certificate for each asset before the asset fragments are removed from site.
“UK businesses should seek specialist advice and take the necessary actions to ensure their data management, security and disposal cycle is fit for purpose and regularly updated in response to changes within the organisation. Failure to do so could have a devastating effect on the company’s future success,” said Aitken.
Gregory finished on an equally chilling note. “The absence of sensible information guidelines and a data and information management strategy will ultimately lead to every business keeping all of its data forever,” he said.