Which Common Data Sanitization Myths Do You Believe? Part I of II

If data protection is so critical, what keeps enterprises from completely removing data from drives and devices when it’s no longer needed? In this two-part post, we address 10 data sanitization myths. The five below are some of the most common, and they sabotage the data protection efforts of small businesses and large enterprises alike. Any of these can leave data behind, even if you think you’ve got solid data removal or drive destruction processes in place.

Vivian Cullipher Vivian is a career writer and editor, having covered technology-related topics for government and B2B organizations since before LinkedIn and the iPhone. As Blancco’s head of content, she oversees the development of thought-leadership-based copy for web, social media, and other Blancco communication channels.

What keeps enterprises from completely and verifiably removing all data from drives and devices?

Often, it’s outdated and insufficient policy requirements or processes. Sometimes, it’s misunderstanding what data sanitization really means (it’s not dumping files in the digital trash bin). Other times, it’s applying perfectly valid methods—but to the wrong devices.

Whatever the reason, wrong beliefs—including those uncovered in A False Sense of Security, our recent study of nearly 2,000 senior leaders from some of the world’s largest enterprises—lead to increased data risk and vulnerability.

To protect your organization’s sensitive information, it’s important to evaluate and address these widespread myths and correct them. If they’ve affected how you handle your no-longer-needed data, that will likely mean making policy and process changes to address how you manage your organization’s end-of-life information and devices.

5 Common Data Sanitization Myths

These five data sanitization myths leave data vulnerable to unauthorized discovery, access and harm based on the methodology they use. They can also cause you to fail a data protection audit, surprising you with penalty fees or other consequences.

• Myth 1 – Deleting Gets the Job Done
• Myth 2 – Formatting is Foolproof
• Myth 3 – If You Shred, Your Data’s Dead
• Myth 4 – Degaussing Works for All Data Storage Technologies
• Myth 5 – Crypto-Erase Guarantees Data Protection

Myth 1 – Deleting Gets the Job Done

It’s easy for users to confuse deleting and erasing files. Even experienced technology professionals commonly believe dragging files to the Recycle Bin on their laptop and desktop computers wipes them clean. In a recent Blancco survey, over half (51 percent) of the respondents believe files are permanently gone when they take it one step further and empty the Recycle Bin.

Part of the problem is that the tech industry hasn’t always made it easy for users to figure out how to delete their information. When emptying the Recycle Bin, Windows first asks, “Are you sure you want to permanently delete these files?” Most users don’t know this merely removes pointers to the data, marks the space as reusable and in fact, leaves the data intact.

Myth 2 – Formatting is Foolproof

In that same survey, another 51 percent believe performing a quick format or full reformat of a computer’s entire drive is enough to permanently erase data. Formatting can indeed remove much of the data on a drive. But relying on formatting as a data sanitization method is lacking in several critical ways. For one, some or most of the data can be recoverable with forensics tools available online.

What can be even more misleading is that several OEMs offer alternatives to formatting that are referred to as “erasure.” These methods also have limitations and do not meet the guidelines for true data erasure, which includes selecting a data erasure standard, verifying that erasure has been successful and certifying the erasure.

Myth 3 – If You Shred, Your Data’s Dead

This is a tricky one.

That’s because physical destruction is indeed one way to achieve data sanitization. However, the devil’s in the details—and in this case, the details make the difference between data being recoverable or not.

For instance, the type of drive matters. Because hard disk drives store data magnetically spread across a spinning platter, physically shredding the drive is actually very effective. There are plenty of industrial shredders that are more than adequate for hard disk drives (HDDs).

However, the larger shred fragments of today’s standard industrial shredders can allow complete solid-state drive (SSD) data chips to slip through.

The data density on SSD and hybrid drives containing SSD components requires a very small shred size to guarantee that no data can be recovered. In fact, the U.S. National Security Agency recommends an SSD shred size no bigger than 2mm—the size of the tip on a new crayon. The larger the shred size, the more chances that data can be recovered from entire chips. So, specifying shredding as your data sanitization method of choice—while a step in the right direction—doesn’t always guarantee that data is irrecoverable.

Our blog post, “SSD Erasure: What Enterprises Need to Know” covers this and other data destruction vulnerabilities in more detail.

Myth 4 – Degaussing Works for All Data Storage Technologies

Degaussing has its place. It is very effective for damaged or end-of-life electronic devices that store data magnetically. However, the biggest vulnerability with degaussing is that it ONLY works with magnetically stored information. Today’s solid-state drives are immune to degaussing since they store data on semi-conductor chips rather than spinning platters. Optical storage devices are also immune.

What’s more, even with hard disk drives and data storage tapes that store data magnetically, degaussing strength must be enough to overcome the magnetic fields of the devices to be sanitized. It’s not always a match, particularly when older degaussers meet newer drives.

To make sure your data is being securely erased, read “4 Steps to Completely Erase a Hard Drive” for a short description that applies to both HDDs and SSDs.

Myth 5 – Crypto Erase Guarantees Data Protection

Cryptographic erasure (often abbreviated as Crypto Erase) is one of the three methods that can achieve data sanitization. It has proven to be extremely effective at making data unrecoverable if the proper steps are in place and verification and certification are achieved. However, like any data sanitization method, there are advantages and disadvantages to using cryptographic erasure.

For instance, Crypto Erase is an ideal solution when storage devices are in transit. The caveat, though, is that users can impact the success of cryptographic erasure through human error and broken keys.

Our free white paper, “The Crypto Erase Conundrum,” provides an in-depth look at this method, including other potential risks to consider.

More Data Sanitization Myths

Removing Data from Active Environments, Advanced SSDs, Mac T2 devices—and the Cost

There are plenty of false beliefs about protecting data at end-of-life. They are widespread, and they lead to well-intentioned policies and practices that leave data vulnerable and enterprises at risk.

But enterprises must constantly weigh effectiveness, data value, risk and impact against other business processes.

Be sure to catch the next installment in this two-part series, Which Common Data Sanitization Myths Do You Believe? Part II of II. We’ll explore myths surrounding cost, specific devices and drive formats and how data sanitization affects operations.

You may be interested in:

What is Common Criteria Certification, and Why Is It Important?

Understanding the financial risks of cybersecurity complacency

The New Jersey Privacy Act: What You Need to Know

The newly signed New Jersey Privacy Act impose new obligations on businesses when it comes to handling consumer data. Here is what you need to know to stay in compliance.

IBM® Launches Infrastructure Data Erasure—And These 5 Storage Network Benefits Come With It