Data Destruction: The Final Line of Defense Against Cyber Attacks
In any cybersecurity plan, it is important to have a robust inventory of all the data in your enterprise’s possession, with knowledge of where it’s stored, who it impacts, and what measures are in place to protect it. However, much of the data stored by an enterprise at any particular time may not actually be in use. Data naturally accumulates, and data that is not of use to an enterprise could still be of use to a threat actor if exfiltrated. Between the risks of data theft, and the new legal requirements imposed by laws such as the European Union’s GDPR, it is important for organizations to consider data destruction at regular intervals.
Data destruction generally means the removal of sensitive data that is no longer in use from data storage devices. This can include customer records, login details, passwords, financial data, intellectual property, and any other personal identifying information. Per the GDPR, enterprises are required to delete this data when it is no longer required. However, the method of data destruction employed can have varying outcomes. Not all forms of data destruction make data unrecoverable. In a recent data recovery study of 100 hard drives, most still contained residual data. Threat actors can potentially recover and make use of that residual data. Large enterprises can also face huge fines if their data is not disposed of properly, such as the fine Morgan Stanley faced in 2022. For both these reasons, it is a good idea for enterprises to have a data destruction solution ready to implement, preferably one that includes multiple methods of data erasure.