These days practically every electronic item contains some form of electronic storage media. When it comes to disposing of computer equipment, how do you make sure that any storage media – hard drives, SSDs, flash drives and so forth – can’t be read by unauthorised users or have the data recovered?
The National Cyber Security Centre (NCSC) reports that there have even been examples where several gigabytes of sensitive documents were retrieved from decommissioned photocopiers and printers. The NCSC recommends that any media that has stored data that’s sensitive to your business should be sanitised before it is disposed of. Just pressing ‘delete’ on your computer is not enough.
The simplest way to sanitise a device is to physically destroy it, but this of course is no good if you are hoping to resell the equipment, or if you didn’t own it in the first place and are returning it to the company you leased it from! Instead you can a method such as data erasure – which uses software to fill the entire storage of the devices with random 0s and 1s, ensuring that all existing data is replaced. This is, however, a time-consuming process that needs to be meticulously carried out on each individual device by someone who knows exactly what they are doing!
When devices have an encryption option that has been activated, this can make life simpler. For example, Bitlocker is available on Windows and FileVault on macOS. These usually have a ‘factory reset’ option that deletes the encryption keys and makes the data unreadable. Once this has been done, NCSC says there is then minimal risk to sensitive data. This does not mean that the reset procedure can guarantee that all user data has been rendered unreadable. However, NCSC advises that a ‘factory reset’ on an encrypted device will provide a satisfactory level of assurance.
If the storage media isn’t sanitised there are risks that any sensitive data on it could be recovered by competitors or used for criminal activities. It is useful to understand what the eventual sanitisation requirements will be as part of your decision-making process for buying equipment in the first place.
NCSC advise that it is best to understand your data and know which items of equipment contain what data. This will help you identify any potentially more sensitive items of equipment and come up with a plan for re-use and disposals, to avoid any data breaches. For further information and support, please see the NCSC guidance.
