data storage Archives

The Growing Size of Media: Just How Much Information Can Be Stored on 1TB?

November 3, 2020 at 9:00 am by Amanda Canale

When it comes to data storage, it’s difficult for many of us to fathom just how much information can fit on a portable hard drive or basic USB thumb drive. Many of us probably haven’t even filled up our own personal hard drives or come close to it. In the age of Big Data, USBs and portable hard drives have become the technological highways that bridge data between devices.

Now let’s think about how much information and data can be stored on a one terabyte (1TB) hard drive. For reference, a 1TB hard drive is equivalent to 1,000 gigabytes (GB). Maybe a couple thousand photos? A hundred movies or so? Well, the answer may shock you so let’s break it down by media type.

Photos
Depending on the file type and size, a 1TB hard drive can hold anywhere between 250,000 and 310,000 photos. Just imagine how many family photo albums you can fill with 250,000 photos. It’s incomprehensible! Some of you may be thinking, “what would a thief want with my personal photos?” While the data stored in personal photos may not be always be confidential, it’s still private and personally identifiable. This means that if a thief were to steal your 1TB drive filled with family photos, the risks of the breach can still be high as whatever information that is offered in the photographs is now fair game. The thief could find out about what kind of material possessions you own, such as cars, jewelry, and furniture, where you like to vacation, where you live, and what you look like, making future theft and targeting that much easier.

Photographs may seem low on the ladder as far as sensitive information, but they can offer up more information than you’re probably willing to give up. Take for instance last year’s U.S. Customs and Border Protection (CBP) data breach. In June 2019, the CBP released a statement that photographs and video recordings of fewer than 100,000 people and their vehicles were stolen as part of an attack on a federal subcontractor. The photographs and video recordings were used in a growing facial-recognition program to assist the CBP in tracking the identity of people entering and exiting the United States. The photographs and footage were originally taken at various American airports and land border crossings where vehicle license plates and faces were captured over a short period of time. While the thieves were not able to capture other identifying information such as passports or travel documents, this type of breach isn’t to be downplayed as the victims are now at major risk for identity theft.

Circuit board futuristic server code processing. Orange, green, blue technology background with bokeh. 3d rendering

Video and Audio
Home video enthusiasts can rejoice because storing all of your family videos in one place has become so much easier. A 1TB hard drive can hold up to 500 hours of high-definition 1080p video – that’s just over 20 full days! To put that into perspective, the total runtime of all the Marvel Cinematic Universe films (23 total) is approximately 50 hours – one-tenth the amount of storage.

Have a large music library? You’re in luck, too! A 1TB hard drive can hold up to 17,000 hours of audio files, totaling approximately 708 days’ worth. Still can’t fathom that much music? Imagine listening to the entire U2 studio album discography 24 times. Or listening to the entire Rolling Stones discography 15 times. Now that’s quite the road trip playlist!

Documents
Here comes the truly mind-boggling part. If we’re talking strictly Microsoft Word documents, a 1TB hard drive can hold (…wait for it…) 85 million documents. Take that in for a moment. Eighty-five million documents. A person’s entire life can fit onto a drive and still have plenty of room to spare. Bills, social security numbers, bank account information, deeds, birth certificates, and more can be stored on 1TB which makes them a gold mine for hackers and thieves.

Leslie Johnston, Chief of Repository Development for the Library of Congress, noted that a 1TB hard drive can hold as much information as one-tenth of the Library of Congress. Now that comparison makes our heads spin! It can be scary thinking about the irreparable damage hackers and thieves can cause with that much information at their fingertips.

In the United States, the average cost of a data breach can cause an organization to pay upwards of $8.9 million, averaging out approximately $146 to $250 per compromised record. Now imagine how much a breach of 85 million documents would cost. The risks of a data breach can be immeasurable, and the consequences are not always immediate. You can read more about how the purchase of in-house end-of-life data destruction equipment can save you and your organization millions of dollars here.

Clearly, a single 1TB hard drive can easily hold a lifetime’s worth of information (and then some), which is why having a secure end-of-life destruction plan is crucial in protecting that data. Protect yourself, your employees, and your company against future data breaches with one of our various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Cost of a Data Breach vs. Hard Drive Crusher: How You Can Save Millions

October 6, 2020 at 8:15 am by Amanda Canale

In the age of Big Data, data breaches are, unfortunately, no longer a possibility of “if” but “when.” As we get deeper into the digital age, hackers and thieves no longer need to breach a facility’s physical barriers in order to steal your or your clients’ personally identifiable information (PII). They can access your confidential information through hacking the cloud, phishing company employees via email, and other more advanced virtual methods, with some resorting to the tried and true methods of dumpster diving or surfing eBay for hard drives.

From January to June 2019 there were more than 3,800 publicly disclosed data breaches that resulted in 4.1 billion records being compromised. That’s only within a six-month time window. While the rate of data breaches so far is slightly lower in 2020, there’s no real sign of it slowing down. For example, in July of this year, financial institution Morgan Stanley came under fire for an alleged data breach of their clients’ financial information after an ITAD (IT asset disposition) vendor misplaced various pieces of computer equipment storing customers’ personally identifiable information over a period of four years.

As we’ve stated in previous blogs, introducing third party data sanitization vendors into your end-of-life destruction procedure significantly increases the chain of custody, meaning that companies face a far higher risk of data breaches every step of the way. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties.

As the number of data breaches increase every year, so does the cost. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is $3.86 million, a 10% rise over the past five years. These costs range from money lost and reputation maintenance to regulatory fines and ransomware, among other direct and indirect costs. Depending on the company’s client demographic, state privacy lawyers may also need to be hired, which adds additional costs.

The most expensive type of record is client PII and the least expensive type is employee PII, with healthcare taking the cake as the number one industry in terms of average cost of a data breach. In the U.S., organizations pay on average $8.9 million per data breach, averaging out to approximately $146.00 per compromised record. For reference, a one terabyte (1TB) hard drive can hold up to 310,000 photos, 500 hours of HD video, 1,700 hours of music, and upwards of 6.5 million document pages. Multiply those document pages by the average cost per record and you have a hefty, burning hole in your company’s pockets.

On average, 61% of data breach costs are within the first year, with 24% in the next 12-24 months, and the remaining 15% more than two years later. It is because of this statistic that it is important to remember that there is no statute of limitations when it comes to data breaches. Companies with proper data security and end-of-life data destruction methods are likely to pay less in the case of a data breach but for those with little or no protection methods in place, the cost could be astronomical. Take for instance, British Airlines and Marriott: the two companies suffered data breaches in 2018 that cost them both upwards of $300 million.

According to the IBM report, it can take about 280 days for a company to identify and contain a data breach. Unfortunately, some companies may not be aware of these data breaches within that time, which can increase the cost of the prolonged breach. Marriott and Morgan Stanley had only discovered their data breaches after they had both been hacked over a four-year period. In cases like these, time really is money.

The consequences of improper data destruction are endless. It’s why we at SEM stress that companies handling confidential information opt for in-house end-of-life destruction as their sole destruction method. By purchasing an in-house IT crusher, such as our Model 0101 Automatic Hard Drive Crusher, companies have complete oversight and can be certain that their clients’ information has been securely destroyed. As we’ve learned, a reactionary approach is simply not enough.

Our Model 0101 has the capability to destroy all hard drives regardless of size, format, or type up to 1.85” high, which includes desktop, laptop, and server drives. With a simple push of a button, our crusher delivers 12,000 pounds of force via a conical punch that causes catastrophic damage to the drive and its internal platter, rendering it completely inoperable. That’s a lot of force. This model has a durability rating from the National Security Agency (NSA) of 204 drives per hour but has the ability to destroy up to 2,250 laptop drives per hour.

When comparing the cost of our Model 0101 at $5,066.88 (and an average lifespan of ten years) to a possible data breach resulting in millions of dollars, the right answer should be simple: by purchasing in-house end-of-life data destruction equipment, your company is making the most cost-effective, safest, and securest decision. Think of it as VERY inexpensive insurance!

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Level 6 Data Centers: Best Practices in Security

September 22, 2020 at 9:00 am by Amanda Canale

Over time, data center infrastructures have evolved from mainframes to cloud applications and can now take on various forms. The type of data center depends on the facility’s primary functions, how it is supported, and size. Based on these criteria, there are four main types of data centers: enterprise data centers, managed services data centers, colocation data centers, and cloud data centers. In addition to storing, managing, and circulating data, data centers also manage physical security systems, network and IT systems, power resources, environmental control, and performance and operational management.

Depending on the size and function of the data centers, some companies are known to have multiple centers in various locations that can store different data or serve as a centralized backup site. This helps to prevent the data from being destroyed due to natural or man-made disasters or in the instance of an outage. There are several levels to data center security, the highest level being Level 6. SEM devices are often part of a robust Level 6 data security program, as seen in this Google data center video.

Natural disasters aside, Level 6 data centers offer the utmost advances in modern data security to ensure that none of the data they store and manage gets into the wrong hands. Below we have broken down each security level within a Level 6 data center and offer an inside peek at just how difficult they can be to hack.

Level 1
Regardless of the kind of data center, the first level of security is the physical property boundaries surrounding the facility. These property boundaries typically include signage, fencing, and other significant forms of perimeter defenses.

Level 2
Once the physical property boundaries have been bypassed, the next level of security is a secure perimeter. Here, someone can enter through the main entrance gate and be met by 24/7 security guard staff, comprehensive camera coverage, smart fencing, and other perimeter defense systems. Once someone has entered the second level, the company’s security personnel have eyes on their every move.

Level 3
Level 3 finally allows physical entry to the data center…well, kind of. Even though someone may have been granted building access, they are still nowhere near the data center floor. This level requires a security search of each individual entering the data center. Employees entering the facility must provide a company-issued identification badge and be subjected to an iris or facial scan to confirm identity. In addition, most data centers only allow one person to badge in through doors at a time. All of these combined layers are to ensure that only approved personnel may enter.

Level 4
Level 4 houses the security operations center (SOC). The SOC is often referred to as the brains of the security system as it monitors the data center 24 hours a day, seven days a week, 365 days a year. All of the previous layers of security discussed above (from camera footage, ID readings, to iris scans) are connected to the SOC and monitored by a select group of security personnel. Think of this level also as the eyes and ears of the facility.

Level 5
Level 5 is the data center floor – finally! This is where all of the company’s data and information is stored. When at this level, security is much stricter when it comes to access and only a small percentage of staff members have access to this level; typically, only the technicians and engineers so they can repair, maintain, or upgrade equipment. Even when on the data center floor, technicians and engineers only have access to the devices, but not the data itself, as all of the stored data is encrypted (another layer of security!).

Level 6
This is where all of the fun happens. And by fun, we mean data destruction. Security at this level is at an all-time high with even fewer personnel having access. It is at this level where end-of-life of all storage media happens. If a device needs to be destroyed, there is usually some sort of secure two-way access system in place, which can vary depending on the facility. This means that one person drops off the device to a locker or room and another person takes the device away to be destroyed. This step is crucial to maintaining data security protocols so only technicians assigned to the destruction room have access to the devices. It is the role of the technicians in this room to scan, degauss (magnetic media only), and destroy the retired devices.

Leaving the data center is a process just as intensive and secure as entering. Every person leaving the data center floor is subjected to a full-body metal detector and makes his or her way back through each of the previous levels. This is to ensure that no one is able to leave with any devices and each person that has entered can be accounted for when leaving.

In the destruction phase, it is NSA best practice to first degauss the device if it is magnetic media. This practice offers companies the most secure method of sanitization. SEM degaussers use powerful magnetic fields that sanitize magnetic tapes and magnetic hard disk drives. It is this act alone that renders the drive completely inoperable – which is always the goal. Not even the most skilled of hackers will be able to get any information off of the drive, simply because there’s nothing left on it to hack!

The next step is the physical destruction of the drive or device. This can be done by act of crushing and/or shredding. Combined, degaussing and destroying ensure that no information is susceptible to getting stolen and offer the best security in the destruction of your end-of-life data.

One of the most common data destruction misconceptions is that erasing or overwriting a drive and degaussing are the same thing. They’re not. Erasing data isn’t completely foolproof as it’s possible that trace amounts of encrypted and unencrypted data can still get left behind. This becomes a gold mine for hackers and thieves, who then have complete freedom to do whatever they want with your most sensitive and classified information. But remember, degaussing is only effective for magnetic media, such as rotational hard disk drives (HDDs). Deguassing is completely ineffective on solid state drives (SSDs) and optical media; therefore, physical destruction (crushing or shredding) to a very small particle size is best practice for these devices.

Regardless of the type and size of data center, implementing security layers like the ones listed above and destroying end-of-life data in-house are always best practice. By doing so, companies can be confident that their data has been successfully destroyed. Some companies make the mistake of opting for a third-party data sanitization vendor. When going the third-party route, individuals and companies forfeit any and all oversight, which leaves plenty of room for drives to be stolen, misplaced, and mishandled. It is this level of negligence, whether at the hand of the company or vendor, that can cause catastrophic damages to the company, its brand, and its customers.

Hackers do not discriminate. So regardless of the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment simply because it is impossible to be certain that all data has been destroyed otherwise. This can in turn potentially save the company more time and money in the long run by preventing breach early on.

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation – including Level 6! Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.

Debunking Hard Drive Destruction Misconceptions

September 9, 2020 at 2:18 pm by Amanda Canale

In October 2019, Blancco, an international data security company, released an article discussing various end-of-life data destruction methods and comparing drive destruction to data erasure. While we agree with some of what was written, we’d like to clear up a few things.

In the article, Blancco recommends weighing the level of impact certain end-of-life data can have in the case of a data breach combined with how quickly the data may age out. They then suggested basing the method of sanitization off of that assessment. We want to stress that there should never be an assessment of this nature when handling sensitive, confidential, or personally identifiable information (PII). It is always best practice to treat all end-of-life data as never aging out and having a potentially high level of harm if breached as both can be impossible to predetermine. Remember, there is no statute of limitations when it comes to data breach, meaning that an end-of-life drive can cause a breach years after it was discarded.

While some companies argue that drives should be reused as a more economical option, we disagree. By reusing devices, a company risks that leftover unencrypted or encrypted data getting into the wrong hands. Companies should future-proof their end-of-life data destruction procedures to ensure the prevention of future data breaches. This will not only save them time and money in the long run but prevents any damages to their customer base and reputation. (It’s better to be safe now than sorry in the long run!)

Blancco also notes that using a third-party vendor to sanitize and destroy end-of-life data and devices is an option. Morgan Stanley recently came under fire for the alleged data breach of their clients’ financial information after an ITAD (IT asset disposition) vendor misplaced a number of various computer equipment that were storing customers’ personally identifiable information (PII). Even though Blancco suggests carefully researching and vetting the vendors to ensure they are properly destroying your devices, introducing a third party significantly increases the chain of custody and companies face a far higher risk of data breach every step of the way when opting for this route.

While there are some reputable data sanitization vendors out there, it can be far too easy for ITAD vendors to misuse, mishandle, and misplace drives when in transportation, and in the actual acts of destruction and disposal. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties. We suggest getting rid of ITADs altogether if they’re part of your device destruction procedure simply because the security risks can be unpredictable and potentially catastrophic. Instead, we suggest purchasing one of our NSA listed devices, keeping the chain of custody within the company, and conducting all destruction in-house. You can read more of our thoughts on Morgan Stanley’s data breach here.

A common data destruction misconception is that erasing or overwriting a drive and degaussing are synonymous with one another. Unfortunately, that kind of thinking can quickly become dangerous depending on the kind of information you are looking to destroy. While methods such as cryptographic erasure and data erasure would allow the drive to be used again, as Blancco suggests, you run the high risk of leaving behind sensitive data which can become a gold mine for hackers and thieves.

While degaussing is not possible for the destruction of end-of-life data on solid state drives (SSDs), SEM always recommends following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to destruction. Solid state drives (SSDs) and optical media do not require it as part of the destruction process but crushing and/or shredding is recommended. By degaussing HDDs, companies are choosing the most secure method of data sanitization per NSA guidelines as this is the only way companies can be certain that their data has been properly destroyed. When magnetic media is degaussed, the machines use powerful magnetic fields to sanitize the magnetic tapes and drive, wiping all sensitive information from the device. This act renders the drive completely inoperable, which should always be the goal.

Once the device has been degaussed, it should be physically destroyed. The combination of degaussing and physical destruction for HDDs is without a doubt the most secure method of ensuring your end-of-life data stays at the end of its life. Not even the most skilled of hackers will be able to get any information off of the drive, simply because there’s nothing left on it to hack!

Regardless of the catalyst for end-of-life drive destruction, it is always best practice to conduct destruction and degaussing in-house. It is also important to remember that a data breach is a data breach, no matter the level of impact. Blancco writes that, “not all degaussing machines are adequate to the task of demagnetizing all HDDs.” They’re right.

Think Your End-of-Life Data is Destroyed? Think Again!

August 25, 2020 at 9:00 am by Amanda Canale

When it comes to our personal data, some companies will go above and beyond to obtain it. Unfortunately, some companies don’t always take the same time and care when it comes to the destruction of that data. Recently, Morgan Stanley has come under fire for the possible data breach of their clients’ information. On July 10, the financial institution issued a statement to their clients that there were, “potential data security incidents” related to their personal information.

The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ personally identifiable information (PII).

A company like Morgan Stanley risks data security breaches every step of the way when opting for a third-party route; this can not only cause irreparable damage to their clients but to their brand as well. The belief that recycling hard disk drives (HDDs) and solid state drives (SSDs) is best practice, can, unfortunately, lead to major consequences.

While there are some reputable data sanitization companies in existence, if a company chooses to utilize an ITAD vendor instead of conducting end-of-life destruction in-house, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle or misuse drives when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. Some contracted salvage vendors have even been known to sell the equipment they are given to online third parties.

It is a scary but common misbelief that simply erasing drives clean is enough to keep your information safe. When erasing data off of a drive, it’s possible that unencrypted and encrypted information can linger and be easily accessible by hackers. Morgan Stanley chief information security officer, Gerard Brady, wrote, “The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form.”

While Morgan Stanley has issued a statement promising that they will pay for two years of credit monitoring for their customers whose data may have been breached, it frankly isn’t enough for some clients as this possible breach may not affect them until much later.

“There is no statute of limitations on future data breaches,” writes Bob Johnson of the National Association for Information Destruction (NAID). “If a hard drive turns up five or 10 years down the road with personal information on it, it is still a data breach plain and simple. Ignoring missing or improperly wiped electronic media today simply means there are a bunch of time bombs floating around.”

It is this particular reason why we at SEM stress that all hard disk drives be degaussed and destroyed and done so in-house. When destroying data in-house, companies can be positive that the data is successfully destroyed whereas when given over to a vendor, the company forfeits any and all oversight. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. No matter what the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment simply because it is impossible to be certain that all data has been destroyed otherwise. This can in turn potentially save the company more time and money in the long run by preventing breach early on.

While Morgan Stanley was unaware of the dangers that come with hiring third party data sanitization companies, they, along with their clients, are unfortunately the ones who are left to suffer the consequences of the vendor’s negligence.

(To read more about how one’s trash can easily become another’s treasure, read one of our previous blog posts here.)

New CUI Directive Defines Latest Targets and Final Implementation Dates for all Executive Branches

May 27, 2020 at 8:46 pm by Flora Knolton

The Latest ISOO announcement details new target dates for policy, training, and implementation.

WESTBOROUGH, MA, May 26, 2020 —On 14 May 2020, the Information Security Oversight Office (ISOO) released CUI Notice 2020-01: CUI Program Implementation Deadlines (the “Notice”), which includes specific dates of implementation and deadlines for affected government agencies that handle or store Controlled Unclassified Information (CUI). The Notice applies to all Executive Branch agencies.

The Notice references 30 June 2020 as the deadline for the initialization of an awareness campaign for workforces within agencies that have access to CUI. By this date it is expected that relevant agencies will be able to define and identify potential CUI within an office as well as summarize the actionable plan the office will follow to properly store, dispose, and in the case of legacy material, re-mark and reuse said CUI information.

The deadline for agencies to draft their policies detailing CUI guidelines moving forward is 31 December 2020. By this date, now current policies must be rescinded or modified with a policy that satisfies the new mandates set by ISOO for individual agencies to follow, and these policies will be implemented over the course of the following calendar year. The use of any Classification Marking Tools (CMTs) in the labeling and marking of CUI materials must also be updated by the 31 December 2020 date.

“The CUI implementation timeline is a critical step towards data security in the U.S.,” said Andrew Kelleher, President and CEO of Security Engineered Machinery (SEM). “We applaud ISOO for their tireless efforts in safeguarding CUI. By ensuring all agencies are storing, labeling, and destroying CUI data appropriately, we can help protect government agencies and the citizens of our country as a whole.”

All physical safeguards must be in place by 31 December 2021, including how an agency ensures CUI is kept out of sight and out of reach from those who do not have access. All agencies that store CUI information in Federal Information Systems must additionally have those systems updated and configured to no lower than Moderate Confidentiality impact value, as outlined in 32 CFR 2002.14.

In addition, training on the policy for an agency’s workforce including sub-agencies must be implemented and completed by 31 December 2021. This includes detailing CUI’s purpose, individual responsibility, and destruction requirements. Destruction requirements for end-of-life CUI should be as detailed as possible and, at a minimum, follow specifications outlined by the National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization. It should be noted that NIST 800-88 specifically states that paper containing sensitive information such as CUI must be destroyed to a 1mmx5mm final particle size at end-of-life, which is the same final particle specification as classified information destruction.

“Technology advancements have made it easier for criminals to reconstruct data, whether on digital or traditional media,” added Heidi White, SEM’s Director of Marketing. “Ensuring that end-of-life media is destroyed to the appropriate specifications, which for CUI is NIST 800-88 standards, cannot be overstated.”

The Notice can be read in its entirety here.

Security and Recycling Don’t Have to be at Odds

December 21, 2019 at 3:01 pm by SEM

When people think of information destruction they typically would not associate it with being environmentally responsible. However, this is completely untrue. In today’s society there are many alternative solutions to help become more environmentally friendly.

Paper

When shredded into a cross cut or strip cut particle, paper can be put into the recycling stream and be used to make new paper. In the past, when paper was shredded into a classified particle, the only option was a landfill. This was because paper is extremely hard to handle once it is this size and it has little, if any, recyclable value.

Today we have the option of briquetting. Briquetting is a solution that compacts the confetti like paper into small cylindrical samples which is a 9:1 volume reduction. More importantly, a briquette is something that has recyclable value. These briquettes can be used by Paper Mills as filler for cardboard boxes and manila folders. Also, a study has been performed by Penn University in which they found that a briquette sample has the burn value of soft coal, with half the carbon emission.

Hard Drives

In today’s society we are storing more and more information on hard drives and other forms of media. Because of this, there has been a large demand for hard drive shredding. After being shredded, you may think that the end particle is useless and wonder what to do with it. This shredded hard drive actually has a recyclable value in the aluminum, magnets and PC board. The market for this is always fluctuating, but you will typically see an average recyclable value of $.35-$.40 per pound.

Other Forms of Media

Optical Media – These plastics can be recycled

Floppy Disc – The metal hub and plastic outer casing has recyclable value

Blackberries/PDA’s – Once the Battery is removed, the plastics can be recycled

Computers/Printers – The CPU boards and plastics can be recycled

In the world today it is very important to become environmentally friendly and implement this any way possible. One thing I recommend is when you have something that you plan to destroy, check with a local recycling company because it may actually have a recyclable value.

How to Store Physical Media Waiting for Destruction

October 14, 2019 at 1:48 pm by Paul Falcone

Waiting for the Right Time

Old records. Outdated hard drives. Scratched optical media discs. What happens when there’s data that is no longer needed or is on failed media? Simple.

Destroy it.

But often times destruction doesn’t happen at the same time storage devices are discarded or replaced. For example, when working on upgrading all the computers at a base or business, sometimes those old hard drives are kept aside because just throwing them out is not an option, and the location does not have access to data destruction equipment or the budget to hire a third-party company to do it securely at the time. Depending on the information on those drives, precautions and policy should be in place that dictate how physical media with information should be stored and protected when it reaches its end-of-life.

Depending on the organization or business, a data destruction policy may be in place that details all of these steps on a data storage device’s path to its end-of-life. This can range from a small business locking up old data in a cabinet to top secret government agencies requiring information be kept in a SCIF location. But if there’s no data policy in place, here are a few tips to help with storing old and obsolete data until it’s time for it to be destroyed.

Storing Old Data

All old data, especially sensitive data such as Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), Personal Health Information (PHI) or classified information should be kept in a location that is locked and secure. Leaving drives on desks, in drawers, or in boxes accessible to anyone can result in data leaking out from internal personnel. Leaving data out in the open can also result in it being mistakenly thrown out with regular trash, which can then be recovered outside of the building or facility from which it originated. Once the data is out, it can be found by anyone, and it could eventually find itself in the wrong hands.

So, where do you keep it? The best option will be to have a secure, dedicated area for old data storage, which will always be better than randomly deciding when the time comes. Having a dedicated area helps establish consistency as data continues to be turned over and updated, which assures that the data will not become lost. To ensure the information is secure, a security storage container or safe would be beneficial for the dedicated area.

Data policy should also be in place so that physical media waiting to be destroyed can only be accessed by a select few preapproved employees to mitigate the number of people that come into contact with the data. The selected employees in charge of handling the data should be educated on the risks of data leaks and know the severity of the mishandling of PII and a company’s or organizations data. This education and personnel limits can help with not only keeping track of where the data is, but also with reducing the risk of an uneducated or unaware employee mistaking the data for something else.

Documentation of who accesses or moves the old data is also critical for transparency and responsibility. By keeping a document that lists the date, time, and reason for accessing the data, an organization can be sure that the data is secure and being kept track of. This can serve as a way to notice red flags if names appear that shouldn’t be on the list, or if someone is around the data who did not follow proper protocol.

Following all of these tips can help protect physical media while it’s waiting to reach its end-of-life. By establishing a secure area, limiting personnel, and documenting the process, a company or organization can rest easy that old data won’t fall into the wrong hands while waiting to be properly disposed of and destroyed.

The Shifting Sands of Data End-Of-Life Destruction

October 7, 2019 at 1:09 pm by Paul Falcone

Ever-increasing data volume is driving change in technology and associated compliance regulations

In this age of Big Data, consumers and organizations alike demand the ability to harvest, create, store, and analyze more data without compromising operation speed. The need for increased storage capacity hard drives and optimal transference of data often eclipses what is currently available on the market. However, things will change soon with the planned introduction of innovative data-writing technologies that will serve to “cram” more data on a disk (i.e., write more data on less surface), thereby increasing data density to yield larger-capacity hard drives.

At the same time, mandated compliance regulations concerning data security are constantly evolving to keep pace with the ever-changing landscape of more complex technology and heightened criminal sophistication. The National Security Administration (NSA), Central Security Service (CSS), National Institute of Standards and Technology (NIST), and Information Security Oversight Office (ISOO) work to keep federal standards of data storage and destruction ahead of cybercriminals, who continue to discover new ways of breaching data security walls. Likewise, numerous regulations are also in place for commercial organizations.

Organizations working with data pertaining to classified information, controlled unclassified information (CUI), information for official use only (FOUO), sensitive but unclassified information (SBU), personal health information (PHI), or personally identifiable information (PII) must be vigilant about following trends in data technology, data-security regulations, data crime, and data end-of-life destruction; otherwise, they risk exposure to a data breach.

Recent trends of note

Manufacturers of data storage technology are always trying to accommodate consumer demand, while simultaneously serving the high security needs of organizations and government agencies. Recently, consumer products such as video cameras and camcorders have become significantly more sophisticated, providing users with a more powerful and engaging experience—and storing more data than ever.

For example, a mere ten years ago it was rare to have the average consumer fill even a one-terabyte hard drive. Today, consumers are “chomping at the bit” for more and more memory-storage capacity within their machines, so they can rid themselves of external hard drives, thumb drives, and discs.

As mentioned, this development has prompted major hard drive manufacturers such as Seagate and Western Digital to develop new writing technologies that increase data density. In turn, this requires that more durable materials be used in hard drive construction. Essentially, since data will be “packaged” closer together within the hard drive, it’s critical that construction materials be highly stable and only modifiable during the writing process. These denser hard drives are commonly referred to as enterprise drives since they are typically found in enterprise environments. This will make destroying “average” hard drives analogous to destroying enterprise hard drives, which are engineered to withstand higher temperatures and 24/7 usage, and are constructed with heavy-duty components. As such, organizations will be forced to adapt and/or upgrade their data storage and data destruction capabilities. Currently, SEM is the only manufacturer to engineer devices specifically for enterprise drive destruction.

Given these developments, it’s not surprising that legislation regulating data destruction continues to get more stringent. The new standards for CUI established by the ISOO in Executive Order 13556 are a prime example. The directive delineates clear requirements for the destruction of CUI at the end of life. Specifically, all paper containing CUI must be destroyed by using either cross-cut shredders that produce particles no larger than 1mm x 5mm or by using a disintegrator equipped with a 2.4mm security screen. Any agency in the public or private sector that handles CUI, FOUO, PII, or SBU is subject to regulation under Executive Order 13556.

Likewise, the NSA and the CSS act jointly to keep the NSA/CSS Evaluated Products Lists for secure data destruction up to date with current standards for government classified data. Standards exist for all types of storage media, including solid state and hard disk drives, magnetic media, optical media, and paper. Recently, new standards for optical media were issued that require CDs to be destroyed to a maximum edge size of 5mm, and DVDs and Blu-ray Discs to be destroyed to a maximum edge size of 2mm. (Previously, requirements for DVDs were 5mm and Blu-Ray discs could only to be incinerated.) As these standards change, previously compliant destruction devices may no longer be acceptable, forcing users to adapt.

As the industry innovates, so do the criminals

In recent years, the growth of massive data breaches has reached a level that has affected branches of government, some of the largest businesses in the United States, and even entire cities and municipalities. In response, the NSA/CSS and the ISOO continue to “raise the bar” on data destruction manufacturers to produce devices that can better prevent destroyed data from being reassembled and used maliciously.

All agencies and businesses that collect, house, and destroy classified, CUI, FOUO, PII or SBU must ensure data is protected from the moment of collection until the end-of-life, in accordance with the standards established by the appropriate agency. Any organization not in compliance leaves itself vulnerable to a catastrophic data breach that could put its employees, vendors, partners, and/or customers at risk.

In short, as data destruction security standards tighten, government agencies and private businesses must always ensure that the destruction devices they use are compliant.

When considering your organization’s data destruction process, it behooves you to plan for stricter regulations than currently required. By doing so, you will save on the associated costs of meeting new requirements as they are introduced. At SEM, we offer equipment that often exceeds the specified requirements for destruction, such as our Model 344 paper shredder and our line of enterprise class drive destroyers.

HDD vs. SSD for Data Storage: Which is Better?

September 3, 2019 at 3:04 pm by Paul Falcone

Technology is advancing, and life as we know it is becoming more and more digital. As a result, data storage is a vital part of everyday life. The question is raised whether a hard disk drive (HDD) or a solid state drive (SSD) is better for data storage. Both have their benefits, but which one is truly better to use?

HDDs

Hard disk drives are data storage devices that store data via magnetic storage, which uses platters to store and retrieve data. HDDs store the data on rotating disks coated with magnetic material. The data is stored and retrieved by actuator arms, which read or write data on the platters. HDDs have the advantage of being cheaper and storing more data; however, they are slower than SSDs, and they are susceptible to magnets, which could cause a loss of data.For destruction, HDDs are physically destroyed either by shredding or crushing. Crushing applies force to the drive chassis, which renders the internal platters and the read/write heads irrecoverable. For shredding, the device uses cutting edges to rip the drive apart, and disposes of it by shredding it to pieces. Shredders are faster and better to use in bulk, but crushers are equally effective for small amounts of dead drives. For even more protection, HDDs should be degaussed prior to physical destruction. Degaussers work by subjecting magnetic media to a strong magnetic field that removes data from data bearing surfaces. The magnetic field can be created either by powerful magnets or an electromagnetic discharge. For classified HDD media disposal, the National Security Agency (NSA) requires a two-step process of degaussing followed by physical destruction in either an NSA listed crusher or NSA approved shredder.

SSDs

Solid state drives use integrated circuits to store data. In layman’s terms, the data, rather than being on a disk and having to be found by a read/write head, is instead stored in cells and can be accessed instantly. SSDs have the advantage of providing quicker access to data, which in turn makes the computer run faster. Furthermore, unlike HDDs, they are not magnetized, so they are not susceptible to magnets. On the downside, they store less data per drive than HDDS and are also more expensive. Interestingly enough, despite the additional speed of access, an SSD uses less power than an HDD. Also, due to SSDs having fewer moving parts, they have better longevity than their HDD counterparts.Due to the way SSDs store data, they must be destroyed using an SSD-specific destruction device, which creates a smaller final particle size than HDD destruction devices. If even a tiny chip on an SSD is left undamaged, data can be recovered. The NSA requirement for disposal of classified solid state media is a final particle size of 2mm, which is exceedingly small and requires a dedicated, costly device for destruction. For all other applications, from Unclassified to CUI to commercial to PII, a solid state shredder or crusher is perfectly acceptable. As long as each chip is damaged, the data is non-recoverable.

It is important to note that for data stored on either type of drive, the best way to ensure that it is disposed of properly is to have on-site destruction. On-site destruction reduces risk from outside vendors and third parties and allows the data to be monitored and tracked throughout the entire disposal process. SEM’s data destruction devices are available in a variety of sizes and throughputs so that every security-conscious organization has a cost-effective, efficient, and secure option for on-site data destruction.

Conclusion

When it comes to choosing between an SSD or HDD, there isn’t really one correct answer. When making the decision, it is important to weigh the pros and cons of each. If you are looking for an inexpensive way to store a lot of data, an HDD is the optimal choice. If you are looking for speed, longevity, and better power usage, an SSD is better. Something very important to keep in mind when choosing between disk drive types is that if they are used to store sensitive data, the more cost-effective option is an HDD, as they store more data and are far easier and less expensive to destroy. However, if an SSD is better suited to your application, ensure that an SSD destroyer is on hand for when the drive reaches its end-of-life.

SEM Shred

Tag: data storage