Your IT staff works hard. They have earned your respect and confidence for their ability to handle many tasks at once, managing your organization’s IT infrastructure capably and efficiently, keeping everyone in the business up and running. It makes sense, then, that you would want to entrust your IT staff with data erasure during the IT asset disposition (ITAD) process. You might reason – as a number of organizations have – the best way to ensure total data erasure is to do it internally. This often appears to be the most secure and cost-effective way to sanitize hard drives.
After all, this gives you complete control of the process. But under an internal scenario, do you really have complete control? LifeSpan has found that as many as 10 percent of the drives it receives from clients who say they have erased the data on them still contain some form of data, either in remnant form or completely intact. For firms concerned about security, this is a major risk. The current cost of a single data breach can be measured in thousands – or even millions – of dollars. Is that a risk you can afford?
How an internal data erasure process can go wrong
Your IT team may be skilled in a number of areas, but they may not all be familiar with proper data erasure procedures, either to perform the erasure or to check if it was successful. Busy IT staff members are also usually juggling several different tasks at any given time, so they may not be available to monitor the data erasure process to ensure quality from start to finish. Larger capacity drives can take an hour or more to properly erase. If you are using a disk-based tool, you must carefully check and individually document each and every device for a successful erasure.
Many times, a busy staff is also lacking an adequate, secure, and dedicated space to perform the erasure process. The means that some devices or drives could get moved to the “erased” pile when they weren’t wiped at all, or when the erasure failed for some reason. It also may mean that data bearing devices are not kept secure prior to or during the erasure process.
Choose a certified ITAD partner for a dedicated staff
A staff dedicated solely to data erasure at a certified partner, on the other hand, will be trained in the process, software tools, standards, and best practices. A dedicated staff can offer a documented erasure process certified according to industry standards and they will not be distracted by other projects while they are working with your organization.
When it comes to choosing a data destruction partner, one of the most reliable certifications to look for is from the National Association for Information Destruction (NAID). NAID is a major certification body that focuses exclusively on information security, and it performs both a scheduled and a surprise audit each year on the organizations it certifies. If you use a NAID-certified IT asset disposition vendor, you can be sure that it meets the highest standards for data erasure and its entire disposition process has been documented.
Even if your team does have a process for wiping hard drives before turning them over to a disposition vendor, best practice is to have your vendor perform data erasure on every drive they receive from you. Given the risks and costs of data breach, having your ITAD vendor certify that every hard drive has been properly sanitized is a low cost way to give you and your staff peace of mind.
Looking for more information on data erasure?
The question of an internal vs. external process isn’t the only source of confusion about data destruction in the IT asset disposition process. Many misconceptions exist about the process, standards, and technology related to data erasure. Our document, “10 Myths About IT Asset Disposition (ITAD) Data Erasure,” sheds some light on the data erasure process, dispelling some of the most common myths and discussing the best practices for optimizing your organization’s ITAD program in this area.