When it comes to disposing of computer equipment, how do you make sure that any storage media – hard drives, SSDs, flash drives and so forth – can’t be read by unauthorised users or have the data recovered?
These days practically every electronic item contains some form of electronic storage media. The National Cyber Security Centre (NCSC) reports that there have even been examples where several gigabytes of sensitive documents were retrieved from decommissioned photocopiers and printers.
The NCSC has reviewed and republished guidance on sanitising and disposing of storage media. Here’s a brief review of some of the key points...
Sanitising storage media
The NCSC recommends that any media that has stored data that’s sensitive to your business should be sanitised before it is disposed of. Just pressing ‘delete’ on your computer is not enough.
If the storage media isn’t sanitised there are risks that any sensitive data on it could be recovered by competitors or used for criminal activities.
Selling or disposing of the equipment would be situations you might automatically think of. NCSC advises that sanitising storage media is also needed when reallocating equipment to a different user or being returned to a supplier for repair.
Before sanitising
NCSC advise that it is best to understand your data and know which items of equipment contain what data. This will help you identify any potentially more sensitive items of equipment.
Having a re-use and disposals policy in place is important and NCSC provides a sample policy that you can use. It is useful to understand what the eventual sanitisation requirements will be as part of your decision-making process for buying equipment.
Is the data encrypted?
Where the device has an encryption option, that has been activated, this can make life simpler. For example, Bitlocker is available on Windows and FileVault on macOS. These usually have a ‘factory reset’ option that deletes the encryption keys and makes the data unreadable. Once this has been done, NCSC says there is then minimal risk to sensitive data.
This does not mean that the reset procedure can guarantee that all user data has been rendered unreadable. However, NCSC advises that a ‘factory reset’ on an encrypted device will provide a satisfactory level of assurance.
If the data is not encrypted, then there is a need to overwrite and verify the overwrite. There are commercial tools available that can do this.
Where it cannot be assured that storage media has been wiped, or there is a residual risk that a skilled, well-funded laboratory could recover data, then it may be necessary to physically destroy the media. NCSC advises destroying the media to particles of 6mm or less.
For further information, please see the guidance.