A false sense of security: why physical destruction of data cannot ensure cybersecurity

By Blancco

Fredrik Forslund, Blancco Vice President of Enterprise & Cloud Erasure Solutions, shares how government agencies can securely dispose of data with software.

Many believe that complex passwords with special characters are the most secure. Yet, in 2021, the United States Federal Bureau of Information recommended opting for longer “passphrases” comprising multiple words strung together, as these are harder to crack.

Agencies must always evaluate commonly used best practices as time passes and new knowledge emerges. Nowhere is this truer than data disposal. Many government agencies and private companies around the world believe that physical destruction of data storage media is the most secure way to dispose of data, but software-based data destruction may be safer.

Fredrik Forslund, Vice President of Cloud & Data Center Erasure, Blancco, shares how government agencies can best secure their data by destroying data with software, automating data disposal, and improving awareness of current data security standards.


Adopt software-based data destruction


Contrary to popular belief, government agencies can best secure their data by using software to destroy data rather than opting for physical destruction, shares Forslund.

A recent survey of 596 public sector respondents found that physical destruction is considered more secure than other solutions by 46 per cent of respondents globally. Physically destroying data storage devices, such as solid state drives and hard disks may feel more reassuring, Forslund notes.

However, physical destruction is only effective when done in specific ways. For example, solid state drives need to be completely shredded to two to three millimeters in size. Otherwise, a forensic lab may be able to “recreate data from the electronic chips”, he explains. Common methods like drilling still leave precious data vulnerable to data recovery efforts, he warns.

In fact, while 46 per cent of respondents stated that they physically destroy drives because it is more secure than other solutions, only 13 per cent strongly agreed that they have full confidence in their organisation’s physical destruction process.

Software-based data destruction can induce a permanent “purge” state, shares Forslund. Once an agency has purged data from a hard drive, the data removal is equivalent to if they had shredded it, he explains.

“It doesn’t matter what information you had on there. It’s all gone and it can never come back,” Fredrik Forslund, Vice President of Cloud & Data Center Erasure, Blancco, says. 

Government agencies and private organisations may send sample drives to forensic laboratories in order to get a certificate of destruction, he adds. This can ensure that data is totally removed from the drive and alleviate any doubt.

When data is destroyed with software rather than with physical methods, the equipment will not have to be retired prematurely. As such, agencies can reuse these storage devices and maximise their full use. This can lead to environmental benefits and cost savings, as highlighted in a recent GovInsider article.


Automate data disposal


Software-based data destruction can also be automated, thereby reducing the risk of human error, says Forslund.

When sensitive data is no longer in use, it needs to be disposed of immediately, he highlights. Any delay can lead to excess vulnerability as long as the device retains data. Gaps in a device’s chain of custody, which tracks the movement and control of a drive or device until ultimate destruction, also create risk.

For physical destruction to work, you need a perfect chain of custody, he explains. “Over and over, we’ve seen different data leaks [during this process], as employees or contractors are simply removing some of the drives to sell privately,” he shares.

This tracking and documentation can be easily comrpomised when handling many devices. For instance, an agency that needs to destroy 12,000 drives would need to scan the serial number of each drive and collect proof that every drive has been shredded correctly.

The UK’s NHS Digital had to record 393 missing devices over a year, even though they had processed 319 of them for disposal. As they had no record of disposing of those devices, all of them had to be officially listed as lost, along with the data stored on them.

An automated system can enable immediate sanitisation and generate an audit trail, he highlights. This can plug the gaps in chains of custody. Automated systems can generate reports tagged to each serial number to verify that all drives have been wiped via software.

A Japanese prefecture recently revised its procedures to seal gaps in its chain of custody process, following the loss of 18 hard drives destined for destruction. To protect against future data leaks, employees must witness onsite data erasure before storage devices are either reused or physically destroyed.


Improve awareness of data security standards


Agencies need to increase awareness of current data security standards and reform outdated policies, he shares.

When revising these processes, agencies “need to go from partial awareness to full awareness because you need every stakeholder to participate”, he explains. In complex environments like government agencies, many different stakeholders need to be on the same page so that existing policies can be modified.

So, what’s stopping government agencies from making the switch?

First, there is a lack of awareness of options. Blancco’s research study found that 38 per cent of respondents globally say they do not have the appropriate skills in house to use other methods. Almost a quarter were unaware of alternative methods of data disposal, such as certified data erasure.

Secondly, there’s a mismatch between policy and today’s ambitions, shares Forslund. Many data disposal policies were written 10 to 15 years ago and have not kept up with the latest advancements in technology.

But it is not too late to revise policies. One country’s department of defense that mandated the destruction of all solid state drives recently rewrote policy and mandated secure data sanitisation through Blancco software after looking into the department’s processes, highlighted the research study.

Blancco’s software has been certified by various public sector organizations focused on cybersecurity, such as the United Kingdom’s National Cyber Security Centre, the German Federal Office for Information Security, and the Swedish Armed Forces.

As a critical mass adopts secure software-based data sanitisation, public sector agencies can be confident that data security has progressed past the need for physical destruction. With software-based data destruction, automated data disposal, and increased awareness of options, it is more secure than ever to make the switch.