Cost of a Data Breach vs. Hard Drive Crusher: How You Can Save Millions

October 6, 2020 at 8:15 am by Amanda Canale

In the age of Big Data, data breaches are, unfortunately, no longer a possibility of “if” but “when.” As we get deeper into the digital age, hackers and thieves no longer need to breach a facility’s physical barriers in order to steal your or your clients’ personally identifiable information (PII). They can access your confidential information through hacking the cloud, phishing company employees via email, and other more advanced virtual methods, with some resorting to the tried and true methods of dumpster diving or surfing eBay for hard drives.

From January to June 2019 there were more than 3,800 publicly disclosed data breaches that resulted in 4.1 billion records being compromised. That’s only within a six-month time window. While the rate of data breaches so far is slightly lower in 2020, there’s no real sign of it slowing down. For example, in July of this year, financial institution Morgan Stanley came under fire for an alleged data breach of their clients’ financial information after an ITAD (IT asset disposition) vendor misplaced various pieces of computer equipment storing customers’ personally identifiable information over a period of four years.

As we’ve stated in previous blogs, introducing third party data sanitization vendors into your end-of-life destruction procedure significantly increases the chain of custody, meaning that companies face a far higher risk of data breaches every step of the way. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties.

As the number of data breaches increase every year, so does the cost. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is $3.86 million, a 10% rise over the past five years. These costs range from money lost and reputation maintenance to regulatory fines and ransomware, among other direct and indirect costs. Depending on the company’s client demographic, state privacy lawyers may also need to be hired, which adds additional costs.

Settlement newspaper headline on money

The most expensive type of record is client PII and the least expensive type is employee PII, with healthcare taking the cake as the number one industry in terms of average cost of a data breach. In the U.S., organizations pay on average $8.9 million per data breach, averaging out to approximately $146.00 per compromised record. For reference, a one terabyte (1TB) hard drive can hold up to 310,000 photos, 500 hours of HD video, 1,700 hours of music, and upwards of 6.5 million document pages. Multiply those document pages by the average cost per record and you have a hefty, burning hole in your company’s pockets.

On average, 61% of data breach costs are within the first year, with 24% in the next 12-24 months, and the remaining 15% more than two years later.  It is because of this statistic that it is important to remember that there is no statute of limitations when it comes to data breaches. Companies with proper data security and end-of-life data destruction methods are likely to pay less in the case of a data breach but for those with little or no protection methods in place, the cost could be astronomical. Take for instance, British Airlines and Marriott: the two companies suffered data breaches in 2018 that cost them both upwards of $300 million.

According to the IBM report, it can take about 280 days for a company to identify and contain a data breach. Unfortunately, some companies may not be aware of these data breaches within that time, which can increase the cost of the prolonged breach. Marriott and Morgan Stanley had only discovered their data breaches after they had both been hacked over a four-year period. In cases like these, time really is money.

The consequences of improper data destruction are endless. It’s why we at SEM stress that companies handling confidential information opt for in-house end-of-life destruction as their sole destruction method. By purchasing an in-house IT crusher, such as our Model 0101 Automatic Hard Drive Crusher, companies have complete oversight and can be certain that their clients’ information has been securely destroyed. As we’ve learned, a reactionary approach is simply not enough.

Our Model 0101 has the capability to destroy all hard drives regardless of size, format, or type up to 1.85” high, which includes desktop, laptop, and server drives. With a simple push of a button, our crusher delivers 12,000 pounds of force via a conical punch that causes catastrophic damage to the drive and its internal platter, rendering it completely inoperable. That’s a lot of force. This model has a durability rating from the National Security Agency (NSA) of 204 drives per hour but has the ability to destroy up to 2,250 laptop drives per hour.

When comparing the cost of our Model 0101 at $5,066.88 (and an average lifespan of ten years) to a possible data breach resulting in millions of dollars, the right answer should be simple: by purchasing in-house end-of-life data destruction equipment, your company is making the most cost-effective, safest, and securest decision. Think of it as VERY inexpensive insurance!

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

For more information on how maximizing every square foot of your facility with in-house data destruction is the best financial investment when it comes to proper data security, you can hear from Ben Figueroa, SEM’s Global Commercial Sales Director, below.

 

 

The Importance of the NIST 800-88 Standard for Media Sanitization in Secure Data Destruction

November 21, 2018 at 4:00 pm by Heidi White

pii-securityTrends in data storage are changing at an exponential rate. The past few years alone have seen the progression of data storage from large servers with magnetic media to cloud-based infrastructure with increasingly dense solid state media. Along with every technological advancement in data storage has come the inexorable advancement of data theft. As a result, the scope and level of responsibility for protecting sensitive and Personally Identifiable Information (PII) has expanded to include not only the originators of data, but also all of the intermediaries involved in the processing, storage, and disposal of data. To address these critical issues and to protect organizations and citizens of the United States, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed NIST 800-88 “Guidelines for Media Sanitization” to promote information system security for all other applications outside of national security, including industry, government, academia, and healthcare. NIST 800-88 has become the predominant standard for the US Government, being referenced in all federal data privacy laws, and has now been overwhelmingly adopted by the private sector as well.

NIST 800-88 assumes that organizations have already identified the appropriate information categories, confidentiality impact levels, and location of the information at the earliest phase of the system life cycle as per NIST SP 800-64 “Security Considerations in the Systems Development Life Cycle.” Failing to initially identify security considerations as part of the data lifecycle opens up the strong potential that the organization will fail to appropriately maintain control of and protect some media that contains sensitive information.

Confidentiality and Media Types

data-theftConfidentiality is defined by the Title 44 US Code as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” FIPS 199 — NIST’s Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems — adds that “a loss of confidentiality is the unauthorized disclosure of information.” Bearing these definitions in mind, organizations must establish policies and procedures to safeguard data on used media. Common methodologies of illicit data recovery include basic acquisition of clumsily sanitized media either through third party sale or old-fashioned dumpster diving, or the more sophisticated laboratory reconstruction of inadequately sanitized media.

data-securityCurrently, two types of basic media exist: hard copy and electronic. Commonly associated with paper printouts, hard copy actually encompasses a lot more. In fact, all of the materials used in the printing of all types of media, including printer and fax ribbons for paper and foils and ribbons for credit cards, are considered hard copy. Electronic media consists of any devices containing bits and bytes, including but not limited to rotational and solid state hard drives, RAM, boards, thumb drives, cell phones, tablets, office equipment including printer and fax drives, server devices, flash memory, and disks. It is expected that, considering the rate at which technology is progressing, additional media types will be developed. NIST 800-88 was developed in such a way that sanitization and disposal best practices pertain to the information housed on media rather than the media itself, allowing the guideline to more successfully stay current with future innovations.

Media Sanitization – Methodologies, Responsibilities, and Challenges

Three methodologies of media sanitization are defined by NIST 800-88 as follows:

  • Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
  • Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory
  • Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of

Clear

One of the most commonly used clearing methodologies for data sanitization on magnetic media has traditionally been overwriting using dedicated sanitize commands. Note that basic read/write overwriting is never recommended as it does not address all blocks on the media. Drawbacks to overwriting using sanitize commands are two-fold: 1) it is only effective for magnetic media, not solid state or flash, and 2) this methodology is wide open to operator error and theft, as well as undetected failure.

Purge

SEM’s high security degausser can be used to purge data

A common form of purging used for magnetic media sanitization is electromagnetic degaussing, whereby a dedicated degaussing device produces a build-up of electrical energy to create a magnetic field that removes the data from the device when discharged. Degaussing has long been an acceptable form of media sanitization for top secret government information when used in tandem with a hard drive destruction device such as a crusher or shredder. Degaussing alone poses the same concerns as overwriting in that operator error or deceit remains a possibility. In addition, the strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard.

Destroy

While clearing and purging provide adequate media sanitization involving less sensitive data, destroying is the most effective and permanent solution for secure data applications. Organizations should take into account the classification of information and the medium on which it was recorded, as well as the risk to confidentiality. As the internet continues to expand and the switch from physical to digital document-keeping becomes the industry standard, more and more data holds PII information such as financials, health records, and other personal information such as that collected for databases or human resources. As a result, security-focused organizations are becoming more cognizant of the fact that comprehensive data sanitization — including destruction — must become a top priority.

ssd-2mm
SEM disintegrators shred particles to a nominal 2mm size

Industry-tested and accepted methodologies of secure data destruction include crushing, shredding, and disintegration, but even these secure end-of-life solutions require thoughtful security considerations. For example, shredding rotational hard drives to a 19mm x random shred size provides exceptional security for sensitive information. However, a 19mm shred size would not even be an option for solid state media, which store vast amounts of data on very small chips. Instead, sensitive solid state media should be shredded to a maximum size of only 9.5mm x random, while best practices for the destruction of highly sensitive or secret information is to disintegrate the media to a nominal shred size of 2mm2. In addition, some destruction devices such as disintegrators are capable of destroying not only electronic media, but also hard copy media such as printer ribbons and employee ID cards, providing a cost-effective sanitization method for all of an organization’s media.

Responsibilities and Verification

IT security officerWhile NIST 800-88 has become the industry standard for secure data sanitization, the guidelines do not provide definitive policies for organizations. Rather, NIST 800-88 leaves the onus of appropriate data sanitization to organizations’ responsible parties including chief information officers, information security officers, system security managers, as well as engineers and system architects who are involved in the acquisition, installation, and disposal of storage media. NIST 800-88 provides a decision flow that asks key stakeholders questions regarding security categorization, media chain of custody including internal and external considerations, and potential for reuse.

Regardless of the sanitization method chosen, verification is considered an essential step in the process of maintaining confidentiality. It should be noted that verification applies not only to equipment and sanitization results, but also to personnel competencies. Sanitization equipment verification includes testing and certification of the equipment, such as NSA evaluation and listing, as well as strict adherence to scheduled maintenance. Organizations should fully train personnel responsible for sanitization processes and continue to train with personnel turnover. Lastly, the sanitization result itself must be verified through third party testing if the media is going to be reused. When media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. Because third party testing can be impractical, time consuming, and costly, many organizations choose to destroy media to ensure full sanitization of data and in doing so, to greatly mitigate risk.

Conclusion

NIST-800-88NIST 800-88 was developed in an effort to protect the privacy and interests of organizations and individuals in the United States. Adopted by nearly all federal and private organizations, NIST 800-88 provides an outline of appropriate procedures for secure data sanitization that both protects PII and confidential information while reducing organizational liability. Determining proper policies is realized by fully understanding the guidelines, following the sanitization and disposition decision flow, implementing data sanitization best practices, and engaging in ongoing training and scheduled maintenance. Because NIST 800-88 guidelines do not provide a definitive one-size-fits-all solution and are admittedly extensive, working with a knowledgeable data sanitization partner is key to a successful sanitization policy.