Data Disposal : Your sensitive data may be at risk !

Data Disposal : Your sensitive data may be at risk !

Data is the oxygen for digital world.

Technology has evolved immensely in last 20 odd years. From large mainframes to desktop computers, laptops to smartphones, data centers to cloud, tablets to smart watches, google search to ChatGPT , we have really come a long way. These technological advances are now difficult to catch up with due to its rapid evolution.

However one thing that has remained backbone of entire digital world is “Data”. Would the technology still be effective if there was no data? Without data, these technologies would not address any business problems. The definition of data per Wikipedia is “In the pursuit of knowledge, data is a collection of discrete values that convey information, describing quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted” . Further, when you have a meaningful or valuable data, it can be labeled as “Information”. This clears the reason why information (or data) security is so important today. Your personally identifiable information, piece of source code, design documents, trade secrets are valuable and can have a impact if stolen or lost. The impact could be financial impact, reputational impact, legal or regulatory impact and so on.

Data LifeCycle

Like every process, data has its own lifecycle. Data is created, acquired, collected in many ways by organizations. Without data, no business process would take place. If we do not protect this data at each lifecycle, it may lead to severe risks. Above picture by CyberFIT covers the various data lifecycle stages. This broadly applies to all organizations across all sectors.

For example

Data Collection — The more and unnecessary data you bring in, you carry more risks. Today most privacy regulations mandate minimum, necessary data collection for data processing.

Data Sharing — If you share your sensitive data without appropriate controls such as encryption, authentication etc., can you really assure its integrity and confidentiality?

Data disposal — Of all the data lifecycle stages, data disposal is the one where organizations tend to either adopt poor or weak practices. Lets cover this a little more .

Linkedin @Santoshkamane


No Data Disposal — Risks? Too many !!

When you delete or format your data, it hides it from operating system’s view. Though it gives perception that data is deleted, it still can be recovered. Today there are advanced data recovery tools who accomplish this purpose. The key due to inadequate data disposal are,

  1. Your data is exposed to malicious actors or cybercriminals. Your data could be PII, customer files, IP , trade secrets and so on
  2. Non compliance to information security standards
  3. Non adhering to privacy regulations requirements - Right to erasure
  4. Regulatory penalties
  5. Last but not the least, and most importantly, reputational risk. Can we afford to lose consumer trust build over years due to security incident that could have been easily prevented at extremely low cost?Morgan Stanley fined $35M for disposing data without wiping

Data Disposal — How is it managed today?

For confidential paper information, today we use a shredder as and when needed. It shreds paper into smaller pieces so the information can’t be reconstructed again. This not only protects information from leakage, but assures you piece of mind.

Source : Internet


Does the same risk apply to digital or electronic data? Yes.

Today most of the organizations are not following secure data disposal practices. So what is the risk here ? Lets understand.

  1. Delete or Format — If delete or format is your primary and only disposal method, your data can be accessed, stolen, misused by cybercriminals. This data could be your customer files, intellectual property, design documents, trade secrets and so on.
  2. Physically Destroying or degaussing hard-drives — Physical destruction may be a better control but can it be your primary means of data destruction? Its been a traditional idea to destroy the physical asset that holds the information, so you leave no scope for recovery. However two challenges here .

a) Third party engagement — Cybersecurity is heading towards zero trust philosophy today. Can you handover your hard-drives with sensitive data to third parties (without due diligence) to either degauss or destroy ? Morgan Stanley was asked to pay 35M as a fine due to data leakage. Like mentioned earlier in the article, the risk is too high when data is stolen or leaked/breached.


b) E-waste — When you physically destroy your assets, aren’t you essentially contributing to e-waste? Can these assets not be repurposed if data wipeout is assured?

c) Destruction before End Of Life — The hardware assets have a price tag and life. If you destroy hard-drive after use of 6 months as it holds sensitive data, can you convince your CFO on the ROI?

Data Disposal — How can it be handled?


  1. As an organization, know how your data tranverses through its lifecycle in the organization. Based on the risk profile and regulatory requirements, build your data retention as well as data disposal policy.
  2. Use Software secure wiping solutions such as CyberFIT’s WipeOut for secure data disposal. WipeOut is enterprise data disposal tool with built in policy compliance. You can securely erase files, folders, drives with a single click. It includes storage analyzer to easily identify your data in various locations. The scheduler option of WipeOut allows automated data wiping. This patented tool also includes remote wipe options, centralized dashboard, wipeout of stolen assets, wipeout recycle bins and most importantly certificate of data destruction, in NIST format that you can use as an artefact during audits. It allows secure erasure of data stored in browsers as well.
  3. Frequently WipeOut data that’s no longer necessary and is on unsecured devices. Data such as customer KYC forms, PII data, data received through emails, source code, internal document should not be on your laptops or end user devices. Enforce a policy to erase them.
  4. Before handing over any asset to contractors or third parties, make sure its securely wiped off
  5. As a secondary supporting control, if policy permits, devices can be physically destroyed.
  6. Periodically review your data retention policy and make sure you comply with requirement in regards to securely wiping data to support “right to erasure” demands of consume.

Final words

In a nutshell, today data is scattered everywhere in the organized. It needs to be protected during all stages and controls can’t be relaxed ,especially during data disposal stage. Be the organization that provides assurance to customers that data is safe until its disposal. Dont just delete, WipeOut

Referral links

https://www.dhirubhai.net/company/cyberfitsolutions/

To know more about electronic shredder [email protected]

Shreyas Parvaté, DCPLA, CIPP/E, CIPT

Helping companies architect privacy and data security

1 年

In my pre-cybersecurity and privacy days, I was blissfully unaware of risks in formatting of disk and simple delete procedures. ?? In a time where cyber attackers' primary rationale is stealing the data, mechanisms such as securely disposing off data are key in eliminating the security risk. And it also helps with compliance. Thanks for sharing Santosh Kamane

Data erasure is definitely a key measure in safeguarding sensitive information. Thanks for sharing your insights on a holistic, rather than piecemeal, approach to data protection!

回复
Jonny Nation

Cyber Security Professional.

1 年

That is a really good piece, thank you! ????

Kavitha A.

CIPM | ISO 27001 LA | CCSK | CEH | CompTIA Security +

1 年

Truly amazing and insightful ???? thanks for sharing ????

要查看或添加评论,请登录

社区洞察

其他会员也浏览了