The Risks of Shredding Drives Internally
The core best practice when it comes to retiring hard drives is to wipe them quickly and internally rather than letting drives accumulate with sensitive data before shipping them to a third party ITAD (IT Asset Disposal) vendor. Often times companies decide to physically destroy drives rather than wiping them with certified software. While there are some benefits to physically destroying drives internally, there are also significant risks that should be considered. The three risks are 1) the risk that the drives won't be accurately reported, 2) the risk of data not being comprehensively destroyed, and 3) employee health and safety risk. Let's look at each.
The Risk of Incomplete or Inaccurate Reporting
One of the biggest weaknesses with physical destruction is the risk of being inaccurate. When a drive is physically destroyed it must be manually reported; a serial number or asset tag must be scanned or keyed in. This leaves room for error and manipulation. An honest employee may inaccurately key in data or forget to scan a drive. A dishonest employee may record the drive as being destroyed and then pocket it. This reporting problem is serious enough that the most responsible physical destruction services have one person recording drives and a second person to witness and ensure accuracy.
To responsibly destroy drives internally, companies should have a witness present to ensure accurate and honest reporting. This will substantially decrease your risk of inaccurate reporting but takes up twice the human resources and still doesn't guarantee accuracy or honesty if the two employees collude. For many companies, having two people verifying the process will be sufficient to substantially reduce this risk.
The Risk of Data Not Being Comprehensively Destroyed
There are various ways in which data is not comprehensively removed even when physical drives are smashed, shredded, grinded, or otherwise physically destroyed.
Fun Drive Destruction
We've heard from many companies that they shoot and hammer drives. While this might be a great stress reliever, it has multiple problems. Even more common is the practice of drilling holes in drives or bending them in some way. There are even machines on the market that destroy using these methods. The problem with all these methods is that they leave portions of the drive platter intact. In fact, with all these methods, only a relatively small portion of the platter is destroyed. While the drive may be rendered inoperable, data can still be recovered using forensic methods. In other words, the 0s and 1s still on the drive platter could be read by other means such as specialized microscopes. All these methods are really "drive destruction" methods, not "data destruction" methods. When there are affordable and comprehensive data destruction methods available, why use a method that has so many weakness and doesn't adequately protect you or your company?
A very common method of data destruction is degaussing. A degausser is essentially a very strong magnet that realigns the 0s and 1s on the drive into a random pattern. This method of destruction has two major issues. First, degaussing renders drives inoperable because the magnet disrupts the highly-sensitive alignment of disc platters. Second, because drives are rendered inoperable there is no way to easily verify if the data was comprehensively destroyed. You have to have complete faith that the degausser is of high quality and operating as expected.
Shredding and Grinding
Another common method of physical destruction is shredding or grinding a drive. With this method, drives are placed in a machine that either shreds the drives into smaller chunks or pulverizes the drive into particles. One positive of grinding drives into particles is that the data is truly unrecoverable, even forensically, but there are still potential concerns, particularly if you're doing this internally in your company. First, shredding drives doesn't always lead to chunks small enough that you can't extract data from them. Granted, it's much harder to recover data than the previous methods but still not comprehensive. Second, some parts of a drive that store data may pass through unaffected. This particularly applies to SSDs (Solid State Drives) where data is stored on chips that are sometimes small enough to pass through a grinder untouched. Third is the environmental risk which takes us to the next section.
Employee Health and Safety Risk
Electronic waste commonly contains metals that can be potentially toxic and hazardous to a person's health. Handling these materials, particularly when they are being destroyed, can present a health risk to your employees. By physically destroying drives in-house you open your company up to a whole series of concerns, standards, and regulations that have to be considered and managed.
In Europe the Waste Electrical and Electronic Equipment (WEEE) directive (2002/95/EU and 2002/96/EU) specifies the following categories of toxic materials:
- Highly flammable
In the U.S., the Resource Conservation and Recovery Act (RCRA) defines hazardous waste in four categories:
Standards such as R2 are often used to ensure companies dealing with recycling activities have a comprehensive Environmental Health and Safety Management System (EHSMS) in place. If internally-managed destruction is your method of choice, becoming compliant with standards like R2 can be an extremely long and costly process.
Another risk you face when physically destroying drives internally is that of safety. Grinders and shredders can have open moving parts in which employees can be injured. Drilling holes, using a hammer, and certainly shooting drives all come with self-evident safety risks.
The bottom line is, physically destroying drives may be opening the proverbial can of worms for your company, getting you involved in an area that carries more regulatory weight and responsibility than your company is ready or willing to bear.
Risk vs Cost vs Reward in Choosing Your Data Destruction Method
In conclusion, as with most IT decisions, you have to weigh the risks and rewards when it comes to data destruction and your hard drive end-of-life. Many companies are lured in to the idea of physically destroying hardware internally. They figure that with the fixed cost of physical destruction they will save money without considering the additional risks and responsibility they are sometimes unknowingly taking upon themselves. Not understanding the reporting risk, the weaknesses of a specific method of destruction, and the environmental and employee health risks involved often leads companies to make bad decisions.
When all these factors are considered, we find that in most cases physically destroying drives internally just isn't worth it. As an alternative, wiping your drives with certified software can overcome all these risk factors. First, wiping can be implemented quickly and easily. In less than 5 minutes, an IT technician can initiate a wipe. By wiping drives as soon as they're marked for retirement, you eliminate any data risk throughout the rest of the retirement process. Second, data about wiped drives can be reported and stored in an internal database in a completely automated fashion that is immune to human error and manipulation. Third, using a certified wiping tool like WipeDrive ensures that all data on the drive is securely and permanently deleted and forensically unrecoverable. Fourth, no safety or environmental risks and responsibilities are introduced.
For the most part, when we layout the risks, costs, and rewards of these various options, using data wiping software ends up being the clear choice, not because of how convincingly we sell our product, but rather because of common sense. Yes, you might be able to save a few bucks here or there by creative methods of data destruction, but when a comprehensive yet simple solution that carries none of the risk exists, why take your chances?