To shred or erase?
This is a valid question for any decision maker responsible for ensuring that their IT equipment, specifically hard drives, are completely scrubbed of all data before returning a leased device, remarketing or recycling.
You’re not alone. A recent study highlighted in e-Scrap news found that “enterprises remain hesitant to move away from physical device destruction.”
Let’s walk through the variables so that you can confidently select the option that’s best for your organization, budget and equipment.
If you have a government contract or dealing with high security information, you may have no choice in your data destruction method. Typically, high security projects require a 2mm pulverization of solid-state drives. Other industries accept a 10mm shred size of SSD. In all other cases, standard hard drives are shred to 30mm. Some shredders have larger cutters so the shred size can be up to 70mm.
And, of course, there are other regulations that apply to specific industries such as Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002, FACTA (The Fair and Accurate Credit Transactions Act of 2003) and Payment Card Industry Data Security Standards (PCI DSS) and more.
Bottom line, if your industry and market dictate data destruction methods for retired assets, the shred vs. erasure decision has been made for you!
Age and expectations
If there aren’t regulatory mandates, knowing the age and value of the retired equipment is imperative.
When equipment is at end of life and bound for disposal or recycling, go with the least costly data destruction solution: shred.
If the equipment is a lease return or destined for remarketing, or has a large storage capacity, your best option to retain value is erasure. Your ITAD or VAR will likely expect the equipment to come back to them with a hard drive so erasure is less costly than a shred-plus-replace combination. Once again, check your contact or talk to your VAR/ITAD partner to see if there is a contractual obligation.
Erasure and shredding are both secure methods of data destruction. Three important points:
- The vendor executing this high security work is important. Be sure they’re NAID AAA Certified.
- Onsite shredding eliminates the risk of data breaches, theft or loss in transit. Read about our services here
- Erasure effectiveness is dependent on the execution of software and appropriate match to the hardware and security protocols (your VAR or ITAD can help you with this.)
The study found that 52% of surveyed organizations are physically destroying rather than selling, reusing, or donating their end-of-life IT equipment, because they believe it is “more secure than other data sanitization solutions.”
Blancco’s study suggests the physical destruction preference comes down to a lack of education, lack of communication within companies on data destruction policies, and dearth of robust regulations covering data destruction. -e-Scrap News
If you’ve determined that there are no regulatory or contractual restrictions, it’s time to compare raw costs. Ask your ITAD or VAR to provide you with an estimate for both erasure and shredding (or pulverization for SSD).
What you’ll likely find is:
Cost of shred (or pulverization for a solid-state drive) is a combined cost of pulling the hard drive (some are neatly tucked away on motherboards) from the device and shredding it. In the end, you’ve got a nice pile of metal scrap (or dust) that is guaranteed destroyed. Don’t forget that the hard drive is now missing so you may have to add back in the cost of a replacement hard drive if you want to reuse or re-sell the equipment.
Cost of erasure (or wiping or sanitizing, depending on who you talk to) is the perfect solution for lease returns or large storage hard drives or high value equipment. The downside is that the erasure of each hard drive (depending on the size and the DOD/NIST erasure protocol) can range from one to 24 hours per item. For desktop equipment (including laptops, tablets, etc.), each piece of equipment is erased one by one. Enterprise equipment can be securely erased in batches of over 200 simultaneously.
Eliminating risk isn’t rocket science
The objective of data destruction is to ensure that data that may be harmful never hitches a ride with any retired IT equipment (hard drives, USB drives, laptops, printers, copiers, POS, servers, etc.) so that it becomes an embarrassing and harmful data breach.
It shouldn’t be complicated.
If it is, talk to us and we’ll help you figure it out. Without obligation. We’re happy to give you a quick evaluation so that you can make the best decision possible. (Whatever your data destruction conundrum is, rest assured, you won’t stump us.) And, we can refer you to a VAR or ITAD if you need one.