Have you considered the importance of data destruction?

Delighted to see our in-house and mobile data destruction platforms running at speed!

Data destruction station at Covenco, Banbury.

160 x 6 TB drives are being wiped to DOD standards simultaneously. And that is not at full capacity either.

As an ADISA-certified ITAD, Covenco has long understood the importance of good processes for data security. Good business practice requires that broken, damaged, or redundant IT equipment needs to be disposed of correctly! Currently, only one company in the UK (ADISA) is backed by UKAS and the ICO (Information Commissioners Office) to be able to provide a standard for ITAD companies to certify against.

Data destruction methods.

In my experience, I find companies of all sizes and backgrounds have varied approaches and levels of ‘concern’ regarding their data destruction methods. It surprises me. I would have thought it was equally important how data is processed at the end of life, as it is when in use. I have a simple ten-step thought process that I outline with Covenco clients to help them consider their end-of-life choices. And protect themselves, their business, and its reputation.

1) Value recovery vs. total destruction.

A simple question of whether there is enough value in the asset to warrant selling it (and how to clean it thoroughly before), or whether to completely destroy the asset beyond data recovery. Bare in mind, when we say beyond data recovery, a few centimeters of tape will contain thousands of records. So even total data destruction needs careful consideration.

2) What in-house tools can you use 1st?

I am not suggesting a drive format is good enough to meet your data destruction requirements! But, it has its uses. Before sending your valuable data off-site to be properly processed, a simple format/drive wipe will thwart most amateur hackers. And provide a minimum of protection at the outset should an asset go missing.

3) Identify ‘fully’ what is being disposed of.

This is fundamental, yet it surprises me how few people consider this. If you do not EXACTLY agree with what is being collected with your ITAD, you can unwittingly create a data breach. Was it 8 or 9 drives that left the building? If 9, why has the ITAD only sent a certificate for 8? You can’t remember and they did not check. Now you have the concern that maybe a drive is missing, maybe in the courier’s van? And, by the law, that would likely constitute a data breach. Please, if you take no other steps – fully agree with the asset disposal list! It is FUNDAMENTAL.

4) Agree on a timeline for data safety

All good ITADs, and certainly all ADISA members, will be able to tell you how long it will take for assets to be erased or data destruction. In other words, how long are you exposed?

5) Collection and chain of custody

Is there a solid chain of custody from you to the ITAD? Signatures and checks to confirm handover, you to the courier, courier to the ITAD. Does the courier have to track the vehicle? Have they been instructed/pledged to never leave the assets unattended – i.e. is the vehicle double crewed if they stop for fuel, a rest stop, etc?

6) Storage

Check security. While YOUR data sits in the ITAD, how exposed are you? ADISA check physical security (cameras, alarms, etc), access control processes, personnel, and asset segregation at their member sites.

7) What method to choose?

This is important and links to whether there is value in the asset. If you are physically destroying, to what level? Standards exist for sizes of disk and tape fragments. Or if a disk/tape wipe – what is the method, the software involved, how many passes, etc? Again, ADISA put the place in checks to randomly ensure data is unrecoverable on processed assets at their ITAD partners.

8) Systems of record

You will, of course, expect a destruction record. But I have seen that simply says ‘220 disks’ at an unnamed site! It should be exactly the assets, record the serials and dates at the very least.

9) Waste or Resale

This pertains to the asset after cleansing and speaks to your company’s Green agenda. How does your ITAD process waste and what certificates do they have in place? Or better still, will they data wipe and resell? Nothing is more eco-friendly than getting more use out of an old asset rather than landfill or recycling.

10) Don’t lose sleep

This a trite point, but by thinking through steps 1-9, you should be risk-free on your asset disposal. Or as close as possible. No IT Manager or CTO wants to report a data breach to the board. And in my opinion, ITAD disposal is one area where some simple and probably obvious choices can hugely reduce that likelihood.

If this has made you think twice about your data destruction or you want some advice, don’t hesitate to get in touch. Our experienced team can solve all your data security worries.

Contact us form

Complete this form below and someone will be in touch shortly.