Is Your Data Disposal Plan GDPR-Ready?

November 21, 2018 at 3:29 pm by Heidi White

gdpr-readyWith GDPR just around the corner, data security has been enjoying some much-needed time in the limelight. Never before has there been such a hyper-focus on the protection of sensitive data, particularly confidential and personally identifiable information (PII) such as healthcare records, personal data, financial information, and legal records. While data privacy conversations have more traditionally revolved around identify theft issues, the new GDPR regulation prioritizes the fiduciary responsibility of all sensitive and personal information.

Savvy organizations began planning and implementing their GDPR compliance programs months ago. Because of the numerous ways in which GDPR mandates data privacy across all storage media and within all facets of an organization, a comprehensive compliance program requires a well-researched, detailed approach with multi-departmental buy-in and execution.

healthcare-data-securityFor example, a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.

Safeguarding sensitive data throughout an organization is critical, and many organizations are well aware of the need for firewalls, passwords, physical security measures, encryption, and employee training. What may be more of a need and challenge for some organizations is GDPR’s Article 17 Right to Erasure, also known as the “right to be forgotten.” While it is not an absolute, the basic premise of Article 17 is that an individual’s request to have his data removed must be honored within 30 days. In some instances, the request is not realistic. For example, banks must retain records for a minimum of seven years, so deleting the data would be in direct conflict to an existing legal mandate. However, Article 17 states that individuals have the right to have their personal data erased without undue delay if the data is no longer necessary for the purpose for which it was originally processed or collected, and this applies in a large number of cases with consumer transactions.

online-data-securityConsumer transactions typically include the storage of personal information such as address, phone, and payment information. While large organizations may have their own servers and storage solutions and are therefore more easily able to purge a consumer’s data from their system, the thousands of smaller organizations typically rely on outside vendors and cloud storage providers to manage their data. Data stored in the cloud is actually housed in data centers, where data is duplicated across multiple drives in an effort to create redundancies that help to mitigate data loss when drives fail — and drives DO fail on a very regular basis. After all, these drives are running 24 hours a day, seven days a week, year-round, so their life expectancy is understandably rather short. When a drive fails, the data it contains is still for the most part intact. Therefore, a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. But end-of-life is only part of the problem. Smaller organizations and others who outsource their data storage must confirm with their providers that their data removal policy is GDPR compliant and must include policies and procedures for the Right to Erasure in their GDPR programs.

GDPR is a broad and encompassing regulation that is actually long overdue. While implementing a GDPR program is proving to be more challenging than organizations may have originally thought, particularly with regard to Article 17 and the Right to Erasure, the safeguarding of data and the diligent focus on data privacy have been positive results of GDPR. In a time where data breaches and identity theft are increasing exponentially, the implementation of a means by which to protect our privacy and security is most welcome.

The Ticking Timebomb: Data Breach from Hardware End-Of-Life

November 20, 2018 at 3:54 pm by Heidi White

data-securityAs everyone in the industry knows, cybersecurity is a hot commodity these days. According to a definition by Techopedia, cybersecurity refers to preventative methods used to protect information from being stolen, compromised, or attacked. There are any number of ways to protect networks and data storage facilities from cyberattacks, and these methodologies are constantly evolving. Just as the flu virus mutates in reaction to vaccines, so do cybercriminals modify their nefarious behaviors in response to cybersecurity enhancements. Therefore, cybersecurity must constantly evolve, becoming more sophisticated and invasive. However, an often-overlooked area of cybersecurity leaves organizations susceptible to data breaches: hardware end-of-life.

Google-data-denter
Google Data Center, The Dalles, Oregon. Google data centers utilize SEM data destruction devices. Photo courtesy of Tony Webster.

As cloud storage continues to expand at an exponential rate, data centers are popping up all over the globe, and these gargantuan facilities are expected to safeguard the vast amount of data they store. It is now commonplace for data storage facilities to employ a Chief Security Officer (CSO) or a Chief Information Security Officer (CISO) in an effort to stay ahead of hackers and criminals. CSOs and CISOs ensure that data centers are secure and protected by implementing sophisticated products and services including password protection, anti-virus/anti-malware software, software patches, firewalls, two-factor authentication, and encryption methods, all of which come at an extremely high economic cost. According to the 2017 Official Annual Cybercrime Report sponsored by Herjavec Group, it is predicted that global spending on cybersecurity products and services will exceed $1 trillion over the five-year period of 2017 to 2021. Clearly, organizations understand the criticality of a comprehensive data security plan. So why is hardware end-of-life, which is relatively inexpensive in comparison to other cybersecurity spending, not part of this plan?

The answer is simple: a devastating breach has not yet occurred through drive recovery. But it’s only a matter of time.

Airmen from the 341st Communications Squadron at Malmstrom Air Force Base replace worn computer parts, destroy used hard drives, and check system functions as part of their daily operations. The US Air Force utilizes SEM IT destroyers. Photo courtesy Malmstrom Air Force Base.

While it is well understood that recovering files from failed and erased hard drives is relatively simple, much of the evidence in hard drive recovery is anecdotal. Students from various higher learning institutions including MIT and University of Vancouver have conducted studies that found drives sold on eBay to contain sensitive data. Criminals in Africa are well known to salvage old drives from landfills and mine the data for identity theft. Even NAID has conducted a study that found sensitive information on eBay drives. Even more alarming is Idaho Power Company learning that over one third of the drives they had contracted to be destroyed and recycled actually ended up on eBay – along with the sensitive, confidential company and employee data they contained. And there are myriad similar studies and evidence of data recovery from failed or erased drives.

So where is the public outrage and demand for more secure drive disposal? The reality is that there has not yet been a truly significant breach as a result of hardware end-of-life recovery. The NSA has long understood that hardware end-of-life leaves sensitive information vulnerable, and they have strict regulations in place for dealing with information disposal, from paper to optical media to hard drives. But many organizations seem to think that erasure, overwriting, or a quick drill to the drive is “good enough” — dangerous thinking that could not be more erroneous.

SEM’s line of hard drive destroyers eliminate data and meet regulatory requirements.

Truly security-minded organizations understand that the only way to ensure data security and privacy at hardware end-of-life is on-site drive destruction. And while some forward-thinking CSOs and CISOs have already implemented such measures, most have not. It is only a matter of time before a major (read: expensive) breach occurs as a result of end-of-life drive recovery, at which time the masses will demand an explanation as to why drive destruction had not been addressed in the first place. To which I will say, “I told you so.”

Data Security and Third Party IT Asset Disposition – a Paradox

November 17, 2018 at 4:29 pm by Heidi White

Data security is a hot topic these days, and for good reason. In 2017 alone, 1,579 data breaches occurred in the United States with an average cost of $7.35 million per breach. According to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center (ITRC) and CyberScout, the 2017 breaches represent an unprecedented 44.7 percent increase over the record breaking number of breaches in 2016, and the number is only expected to grow. In fact, it is anticipated that the global cost of cybercrime will exceed $2 trillion by 2019, which is three times the 2015 estimate of $500 billion.

financial-dataThe top five categories of organizations affected by data breaches include general business, medical/healthcare, banking/credit/financial, education, and government/military, in that order. These categories certainly make sense since they are the organizations that house the most sensitive, and therefore illicitly valuable, data. It should come as no surprise that of these organizations, government/military rounds out the bottom with less than five percent of total breaches. After all, the federal government understands the need for secrecy, and has set the bar for data security and privacy. Even commercial organizations are now trying to implement best practices originally dictated and instituted by government agencies, including the Department of Defense (DoD), the National Security Agency (NSA), Homeland Security, and the Department of Securities and Exchange.

Data breaches affect the privacy and security of individuals, businesses, and governments while costing the breached organization extensively. Costs include everything from covering credit monitoring for affected individuals to settling lawsuits to lost business and reputation. Cost per record of a U.S. data breach is an astounding $245, while the average number of exposed records is over 28,000. Add to that the fact that, according to Soha Systems Survey on Third Party Risk Management, 63 percent of all data breaches are linked to third parties such as vendors, contractors, or suppliers, while only two percent of IT professionals consider third party security a top concern. Clearly, the criticality of data security throughout its lifecycle, including end-of-life which is typically either controlled by a third party IT asset disposition company or ignored altogether, cannot be overstated. The grim reality is that businesses are fully responsible for the data that they collect and store, and a breach resulting from third-party culpability does not deflect liability.

digital-dumping-ground
Agbogbloshie, Ghana – Many young men are developing cancer in their 20s as a result of the toxicity of the environment from discarded electronics

It is easy to illustrate the severity of data insecurity resulting from third parties. Ghana, well known to be one of the top sources of cybercrime globally, is home to Agbogbloshie, a digital graveyard in the slums on the bank of the exceedingly polluted Korle Lagoon. This area, known as Sodom and Gomorrah by outsiders, is one of many computer and electronics landfills around the globe. Not only is this area an environmental disaster due to the antimony, arsenic, lead, mercury, and other toxic metals leaching into the water and soil from the electronic devices, it is also a hotbed of sensitive data waiting to be exposed. The discarded computers and electronic devices found in Agbogbloshie come from developed nations around the globe including the United States. Originally pitched to the locals as a means to help with the digital divide, these electronic “donations” actually contain less than 50 percent working computers with the rest being simply electronic trash. The residents have learned to salvage the devices or their parts to turn a small profit, but the real threat comes from the organized crime in the area that scours the drives for personal or sensitive information to use in scams or blackmail.

used-hard-drive
Used hard drives being sold on Lamington Road in Mumbai, India

As part of an investigation into this digital dumping ground, journalism students from the University of Vancouver, British Columbia purchased seven hard drives at a cost of $35 from an Agbogbloshie e-waste dealer. What they found was shocking: credit card numbers, social security numbers, bank statements, as well as personal information and photos. They also retrieved a sensitive $22 million dollar U.S. defense contract from U.S. military contractor Northrop Grumman’s hard drive, which also contained sensitive contracts with NASA, the Transportation Security Administration (TSA), and Homeland Security. And all of this came from just seven hard drives.

In 2003, two Massachusetts Institute of Technology (MIT) graduate students published a study regarding their purchase of 158 hard drives from places such as eBay and small salvage companies. Of these, 49 contained sensitive information including PII, corporate financials, medical data, and over 5,000 credit card numbers. One of the students, Simson Garfinkel, is now the US Census Bureau’s Senior Computer Scientist for Confidentiality and Data Access and the Chair of the Bureau’s Disclosure Review Board. Prior to that, he was a computer scientist at the National Institute of Standards and Technology (NIST).

old-hard-driveIn yet another 2003 study, Tom Spring from PC World Magazine acquired ten used hard drives in the Boston, MA area from thrift stores and salvage yards. Nine of these ten drives contained sensitive data including social security numbers, credit card numbers, and banking statements, as well as tax, medical, and legal records. Using the information found on the drives, Spring contacted the original owners of the drives, some of whom had contracted electronics disposal or recycling companies to erase their hard drives.

In 2006, Idaho Power Company learned that 84 of the 230 hard drives they had contracted salvage vendor Grant Korth to sanitize and recycle had actually been sold to third parties on eBay. These drives contained sensitive information including proprietary company information, confidential correspondence, and employee data including social security numbers.

In 2009, Kessler International, a New York based computer forensic firm, purchased 100 drives from eBay over a period of six months. 40 of these drives were found to contain sensitive, confidential, and personally identifiable information as well as corporate financials, personal photos and emails, and even one company’s secret French fry recipe.

NAIDIn 2014, the National Association for Information Destruction ANZ (NAID-ANZ) published a study regarding their purchase of 52 used hard drives from eBay and other third parties. The recovered drives came from law firms, accountants, medical facilities, educational institutions, and numerous individuals. Data recovered included medical records, social security numbers, tax and financial information, sensitive court case documents, personal photos and videos, bank statements, confidential client information, disability insurance applications including highly sensitive personal financial and medical information, profit and loss statements, employee HR files, company invoices, and spreadsheets including name, address, phone number, salary, DOB, and occupation. Of the drives with recoverable information, over 90 percent of them had deleted or formatted partitions, a clear indicator that the owner had made an attempt to sanitize the data prior to disposal.

We could go on and on.

When disposing of end-of-life data, many companies turn to data disposal or recycling vendors and assume that their drives — and the data they contain — are being handled responsibly and safely. The reality is far different. While there are certainly many reputable data sanitization companies, it is just too risky to entrust sensitive information to any third party, simply because of the unknown. In addition to sloppy or greedy third party IT asset disposition companies, there are a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber criminals specifically so they can mine the data they contain for illicit activity.

SSD-shredder
Hard drive being destroyed in a SEM combo shredder

The only truly secure method of IT asset disposition is drive destruction. While it is tempting to make a few dollars per drive by sending to a recycler or attempting to wipe and resell, the potential cost of a data breach far outweighs any financial gain from reselling. The National Security Agency has long known this truth and requires rotational platter based hard drives to be both degaussed (erased) AND physically destroyed prior to disposal. Not only does drive destruction through crushing, shredding, or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling, leaving a smaller quantity of true waste and less likely to end up in Agbogbloshie.

The Missing Link in Cloud Security

November 16, 2018 at 4:16 pm by Heidi White

cloud-securityDefinition of Cloud Security from the Cloud Security Alliance (CSA):
Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Recently, there has been a hyper focus on cloud security — and with good reason. According to a report by McAfee titled “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,”cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions. Service companies have the highest adoption of public cloud platforms with engineering and government having the highest adoption of private clouds. Amazingly enough, this surge in cloud adoption is not equally met with security and trust with only 23% of organizations today trusting public clouds to keep their data secure. And yet, 62% of organizations reported storing personal customer information in public clouds.

cloud-data-securityThese statistics indicate that cloud security is lagging far behind cloud storage and adoption — similar to cell phone batteries. Cell phone technology continues to advance at an exponential rate while cell phone battery technology advancements are sluggish at best. As a result, cell phone battery life continues to be a major consumer issue regardless of the technological advancements made by cell phone manufacturers. What good is a beautiful, high resolution screen with lightning fast processor if the phone can’t handle the battery load? Likewise, cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. For example, the number of data breaches from 2014 to 2015 actually decreased, while the number of compromised records containing sensitive information more than doubled from 67 million to 159 million in the same time period. The decreased number of data breaches is indicative of the consolidation of cloud data storage providers, and yet the large increase in compromised records show that one data breach affects far more records today than it did just five years ago.

IT-asset-managementAs a result of the serious challenges presented by cloud data security, numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. Some of the more frequently utilized processes include user authentication, encryption of data both in transition and at rest, ongoing vulnerability testing, role-based access control (RBAC), intrusion detection and prevention technology, and staff training. In addition, the establishment and enforcement of cloud security policies is critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, end point security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans – an end-of-life policy.

circuit-boardCloud security providers who actually define an end-of-life strategy are rare, and a comprehensive program is even rarer still. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. Drives that were “erased” have shown up on eBay with sensitive information and overwritten and failed drives invariably contain original data that is fairly easy to recover. Criminals and thieves tend to be one step ahead of security and law enforcement initiatives, and cyber criminals are no exception.

Degaussing followed by crushing is one methodology for sanitizing hard drives that has been approved by the NSA.

Fortunately, many compliance regulations do address data end-of-life, which is why any cloud security provider should adhere to an appropriate regulation. Whether HIPAA, FACTA, FISMA, PCI DSS, or the most stringent NSA requirements, these compliance regulations are put in place to protect sensitive data and personally identifiable information from falling into the wrong hands whether through firewall vulnerabilities or data retrieval at drive end-of-life. In-house data destruction is the ideal way to securely manage drives at end-of-life; however, the method of data destruction varies greatly depending on volume, location, regulatory requirements, and operational procedures. There are many data destruction devices available from high security disintegrators capable of handling up to 500 drives per hour to enterprise specific, portable, and NSA listed solutions. There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fits their need. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction.

Many third-party providers offer drive end-of-life services, including degaussing and crushing as well as shredding. But while it is possible to outsource data disposal to third parties, it is NOT possible to outsource risk. Therefore, security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal. By maintaining a proactive approach to security operations, companies and businesses can reduce the reputation degradation, frantic clean-up, and astronomical cost that typically comes with a reactive approach. Cloud security should not and cannot follow the path of the cell phone battery without disastrous consequences.

10 Cybersecurity Tips for Small Businesses

November 15, 2018 at 4:02 pm by Heidi White

Information Security — The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Cybersecurity — The ability to protect or defend the use of cyberspace from cyber attacks. —”Glossary of Key Information Security Terms”, NIST IR 7298

cybersecurity-dataIn today’s digital world, threats to cybersecurity are everywhere. Data breaches are rampant and indiscriminate, affecting businesses of all sizes from small mom and pop shops to massive organizations like Target and Massachusetts General Hospital. Cybercrime is one of the fastest growing illicit activities today, and businesses are now wondering not if they will be a victim of cybercrime, but when. With key preventive measures including employee education, established policies, and implemented best practices, proactive companies can avoid becoming yet another statistic in the world of cybercrime. As longstanding experts in sensitive data security, SEM is pleased to share these 10 cybersecurity tips for small business.

1. Educate Employees

employee-data-breachThe fact that human error is by far the biggest contributor to data breaches cannot be overstated. Educating employees on safe email usage, avoiding phishing scams, ensuring safe social media practices, and safeguarding personal information is critical to the success of any cybersecurity policy. Ensure that employees are using password best practices including updating passwords every 90 days, at a minimum. Also, educate employees on the importance of secure socket layer protocol and to never submit company or personally identifiable information (PII) over an unsecured network.

2. Implement a Device Policy

As business becomes more mobile, so do the possibilities of data theft. If employees’ devices such as phones or laptops have access to confidential company data, require that employees encrypt data, password protect their devices, and understand reporting procedures in the event of a data breach. Employees who work from home should be required to protect their home network behind a firewall.

3. Always Update

update-softwareAntivirus protection, operating systems, system software, and company firewalls only work to protect against breaches when they are kept up to date. As security threats constantly evolve, so do software patches and updates. Install updates as soon as they are released and implement a clear software update policy.

4. Establish IT Best Practices

Standardize a backup plan for all data on the network, including HR files, payroll information, spreadsheets, documents, and all other critical information. Only allow IT staff and key personnel to install software or have administrative rights to company devices. In addition, credentials should be required for access to any company device, and all employees should be given their own unique user names and strong passwords. Encrypt and hide the company’s WiFi network to avoid outsider access.

5. Identify Threats, Vulnerabilities, Likelihood, and Risks

threat-vulnerability-riskThreats come in the form of cyber or physical attacks, human error, accidents (natural or manmade), or resource failure (software, hardware, etc.), while vulnerabilities are the causes of these threats and include items such as outdated software and hardware, untrained staff, and minimal policy enforcement. Likelihood combines the threat with the vulnerability and assigns a rating. For example, the threat of being exposed through a phishing scam combined with inadequately trained staff equates to a high likelihood rating. Once threats, vulnerabilities, and likelihood are explored, a risk assessment can be formulated along with resulting consequence. At that point, the decision to accept or mitigate the risk can be made. Acceptance of the risk should only be considered if the consequences or the likelihood are low.

6. Establish a Data Breach Response Plan

Just as an Emergency Response Plan (ERP) is critical to minimizing loss of life during a natural disaster, so a Data Breach Response Plan is critical to mitigating data loss and resulting expense in the event of a data breach. An effective Data Breach Response Plan should include items such as the following:

  • Documentation of events prior to and immediately following the discovery of a data breach
  • Transparent and immediate communication to all employees including how they should respond to external inquiries and the press
  • Activation of a designated response team, in particular legal council, to determine if regulatory agencies or law enforcement should be notified
  • Identification of what caused the breach as well as implementation of a plan of action to fix it
  • Plan of action based on legal counsel with regard to compliance regulations and other mandates affecting messaging, notification, and possible compensation to breach victims
  • Messaging and schedule for notification of those with compromised data

As with an ERP, a Data Breach Response Plan must be continually updated — annually at a minimum.

7. Communicate ROI

Many companies discount the implementation of a sound cybersecurity policy due to costs that are not easily justified. While the fact remains that no tangible Return on Investment (ROI) for a cybersecurity policy exists, the potential cost of NOT implementing one could be catastrophic. According to the 2017 Cost of Data Breach Study, the cost per record for a data breach was $255, with the average total cost of a data breach being $3.62 million. A cybersecurity policy, and the associated costs, are critical to the protection of a company’s data — and resources.

8. Talk to a Professional

Businesses who do not have dedicated IT professionals on staff or whose IT staff is not fully trained in cybersecurity should consider hiring an outside consultant to implement their cybersecurity policy. As previously stated, ROI for such a hire is not readily apparent. However, one breach can spell disaster — including business closure — for some smaller companies. The cost of hiring a professional to set up an effective data security policy far outweighs the potential risk and subsequent cost of not doing so.

9. Establish an Information End-of-Life Policy

SEM devices meet all compliance regulations and shred hard drives to client specifications.

Often overlooked, information end-of-life policies are critical to a successful cybersecurity plan. The most comprehensive cybersecurity policy still presents high risk if retired or failed data storage devices are improperly disposed of or discarded. Security-minded organizations must identify the confidentiality of the information, the media on which it is stored, and any required regulatory compliance measures. All PII should be considered confidential information that needs to be sanitized prior to disposal. Several methodologies of data disposal exist, from erasure to degaussing to shredding to disintegration, and the best solution is typically identified through a consultation with a data disposition expert.

10. Explore Cyber Insurance

Cyber insurance is not for everyone, but it makes sense to have the conversation with an insurance broker — but only AFTER a security program is already in place! Rates and qualifications have not been standardized and are solely based on overall business security health and ensuing risk.

Solid State Devices: Destruction Overkill?

September 19, 2018 at 8:54 pm by Heidi White

data-securityOrganizations frequently use paper shredders and computer media destroyers that are approved for the highest security materials they ever have, using that equipment for all of their materials in a single stream process.  Also common is to get the highest security level device that is available, even it goes well beyond the level of destruction mandated for or customarily used for the materials they actually have.  This could be called a “better safe than sorry” philosophy for media destruction.

For some information destruction equipment, like office paper shredders, choosing the most secure equipment for everything can often work out alright.  This choice will almost always be more costly than selecting the minimum security level device for each type of material for which it will be used.  However, a greater cost is often accepted in return for the confidence of having the greatest possible degree of information destruction.  For paper shredders, the highest security level means the smallest particle size, typically produced by NSA listed models.

SSD-destructionThe situation for solid state media destroyers is very different.  As a rule, dramatically greater hassle and cost will come from choosing the most secure possible device.  Solid state materials include whole solid state drives, flash memory sticks, thumb drives, circuit boards with flash storage, cell phones, and some smart cards. The highest security level for destroying these types of materials is the NSA standard, currently set at a maximum of 4mm squared, with compliant devices typically producing a particle size of 2mm x 2mm.  This particle size is required by the NSA for classified solid state items.

At the time I am writing this, the choices for NSA listed SSD destroyers are minimal.  There is only one office friendly device with extremely limited capabilities.  There are also a couple of large industrial type devices suited for folks with large spaces and large budgets.  With the current set of choices, getting an NSA listed SSD destroyer means enormous costs. Adding to the large initial cost, operational labor (due to very slow throughput), replacement parts, repairs, and preventive maintenance are very high for these machines.

shred ssdThe reality is that many organizations don’t need an NSA level of destruction for all of their solid state materials.  Often the classified items are only a very limited part of the mix.  In these cases, there are a few ways to save a lot of money and hassle.  If none of the solid state items to be destroyed are actually classified, there are machines that are many times faster, much more rugged, and are a small fraction of the cost of the NSA listed machines.  These devices produce high to extreme levels of destruction, well beyond any reasonable likelihood of reconstruction of any data.  If only a portion of the items in the mix is classified material, a major bump in productivity plus significant savings can come from using one of these lower cost devices for the unclassified items.  Even if an NSA listed SSD destroyer is brought in, the load on it can be reduced by using a second machine for the unclassified materials.  This type of dual stream process can save many times the cost of the second machine in terms of reduced purchases of repairs, maintenance, and spare parts.

When it comes to solid state media destruction, for folks whose materials are all or mostly unclassified, going with general purpose SSD destroyers offers these benefits over NSA listed SSD destroyers:

  1. Up to 20 times faster throughput
  2. Minimal service needs, even zero service needs through thousands of cycles
  3. Ability for most models to take whole SSDs with no assembly
  4. Models that run off of regular 120V wall current
  5. Dramatically lower cost for the equipment, ongoing service, and parts

Of course, technologies change over time.  New products will surely come out.  NSA certifications will change.  It is a moving parade over longer time scales.  But, for now, a great strategy for dealing with solid state media destruction that is partly or totally unclassified is to get a good general purpose SSD destroyer that provides a satisfactory level of destruction.

Bob Glicker, Mid-Atlantic Regional Sales Manager, has over 35 total years of sales experience with over 23 years of targeted government sales experience. Bob prides himself on providing the highest level of service to his government clients, and he enjoys working with key resellers. Bob received his BS in Chemistry from the University of Maryland, College Park. In his free time, Bob enjoys a variety of activities including gym workouts, cycling, reading, and listening to podcasts. He is also an avid science lover, an amateur juggler, a vegetarian, and the quintessential family guy.

Hard Drive and Solid State Media End-of-Life Destruction

August 27, 2018 at 2:36 pm by SEM

Where do hard drives go when they die? You can’t just toss them in the trash. There’s too much sensitive information on them that could result in significant liabilities. So what should you do? Before you can decide what to do, you also need to identify the sensitivity of the information and type of media that needs to be disposed.

Information Types

While there are many acronyms and levels of information, it’s actually reasonably simple if you break it down into two categories. The first high security information, which is information that is typically found in the highest levels of government. So sensitive that it may pose a threat to the defense of our country. The second is sensitive information. In today’s world where criminals are trying to steal identities or proprietary information, virtually all information is now sensitive. This is most applicable in the health care, financial, banking and retail industries as well as education and state/local governments.

Media Formats

Once you have categorized the type of information, you need to determine how the data is stored? High security and sensitive information is found on a wide variety of storage devices – the bulk of which is either stored magnetically on magnetic media formats like hard disk drives and back-up data tapes or stored on chips found on a solid state devices like an SSD drives, thumb drives, cell or phones.

HDD-vs-ssd

Means of Destruction

While there are a variety of methods to erase data such as degaussing magnetic media or implementing an erasure software program, in the end, the most effective method is to combine the data erasure with a method to physically destroy the media. One such physical destruction method is the use of a hard drive shredder.

But do I need a shredder that is designed for platter based magnetic drives and another one for solid state drives?

Not necessarily.

While systems that are designed specifically for either platter based drives or storage chip based devices are certainly highly efficient, a combo unit, like the SEM Model 0315 HDD/SSD COMBO shown here, deploys two separate openings that feed cutting chambers designed to effectively shred either a magnetic platter based HDD and/or a solid state chip based device. The magnetic media HDD side of the shredder will reduce the media to a particle size that is as small as .75” while the other side is designed to shred the solid state device down to .375” (9.5 mm), small enough to insure that all of the storage chips on the media are destroyed. Other combo units with greater throughput capacity are also available here.

HDD-SSD-combo-shredder
SEM 0315 Combo

What Solution is Best?

Once you have identified the type of information and the formats in which the data is stored, you can make an informed decision of which solution best meets your end-of life data storage requirements. If the bulk of your media is either magnetic media or solid state media, consider a system designed specifically for that form of media. However, if your organization stores data on both forms of media, an all-in-one combo system that effectively shreds both may be the answer.

Don’t forget SEM is always here to help guide you through the decision making process. If you have any questions, feel free to contact us today!

An IT Destruction Audit Trail – How to Simplify the Process

August 23, 2018 at 2:47 pm by Heidi White

HDD-degaussIf you deal with sensitive drives, the NSA/CSS requirements for destruction of classified and higher drives requires that they first be degaussed by an NSA approved degausser and then physically destroyed. This 2-step process is not complete without the third critical step: documentation/destruction audit trail of everything destroyed. Therefore, you must properly document before you degauss and then destroy.

An important part of any HDD/SSD media destruction program is the accurate creation of a complete end of life audit trail.  Until now it has been up to the operator of the degausser/destruction equipment to fill out the appropriate tracking form by hand, recording the serial numbers of the drives destroyed so there is a record of who, what, where and when they were destroyed.  This is a very time-consuming and tedious process, and one that is prone to unintentional errors in the serial numbers recorded.  The need for accuracy in this documentation is extremely important in the event of an audit or the need to track a specific drive — especially a classified one.

The iWitness is a plug and play documentation tool that is both accurate and time-saving

Whether you have ten drives or 10,000 drives to destroy, an easy way to streamline the process and dramatically increase the speed and accuracy while gathering additional information on the specific drive’s destruction is to automate the process using the SEM iWitness audit-friendly media tracking and end-of-life documenting solution.

The iWitness is a simple plug and play, end-of-life documentation tool for IT destruction. The iWitness consists of a laptop with a 15” screen, a handheld barcode scanner, and pre-loaded iWitness software, and is the only system that is fully SCIF compliant right out of the box.  This SCIF compliant system is completely stand-alone and does not need to connect to a network. The software is installed on a guest account, the Wi-Fi and Bluetooth are disabled, it has no cameras, and writes to a CDR — absolutely no USB is required. The iWitness system is the ideal solution for classified environments and SCIFs.

The iWitness comes complete with a laptop, scanner, and pre-loaded software

The process is simple: just scan an HDD or SSD bar code and the software records the media and documents the erasure status and gauss level, after which the information can be exported to a cross-compatible CSV file and saved to a CDR or, if preferred and not in a SCIF, a USB drive. The iWitness not only keeps an audit trail, it also prompts the operator through every step of the process, so no step is missed. The software records manufacturer, model, serial number, destruction method and device used, operator name, time, and date.  In addition, the iWitness can be easily customized to record additional drive information as required.

This machine is compatible with the SEM EMP-1000HS and EMP-1000 degaussers, as well as the entire line of SEM HDD/SSD crushers, shredders, and disintegrators. It can also be used with non-SEM destruction devices if preferred. When used with an SEM degausser, the iWitness system provides erasure verification by recording the Pass/Fail status and the magnetic field strength communicated directly from the degausser via a barcode displayed on the degausser’s LCD panel, which can be scanned with the iWitness to confirm sanitization.  This is an exclusive compatibility feature of SEM degaussers; however, competitive degaussers can also be used without this feature.

The SEM iWitness offers a full-featured solution to the cumbersome chore of filling out various documentation forms, making your audit trail recording a breeze. The iWitness complies with all major security requirements including NIST SP 800-36/NIST SP 800-88, PCI DSS, HIPAA, FACTA, FISMA, PIPEDA, GLBA, CCPA, and FCC standard. If time savings, increased recording accuracy, operational simplicity, and regulatory compliance are important to your organization, the SEM iWitness would be a great addition to your media destruction program.


Mike Wakefield, Southeast Regional Sales Manager, has over 34 years of sales experience, 25 of which have been with SEM, and he is a Subject Matter Expert in data destruction and government contracting. Throughout his career at SEM, Mike has worked with key clients including the federal government, U.S. military, defense contractor community, and Fortune 500 companies. Mike prides himself on being able to anticipate new markets and emerging technologies while also working with the intelligence community to meet current and future needs, all while protecting the environment.

Maintenance Matters

July 24, 2018 at 2:27 pm by Heidi White

Yes, maintenance matters. The main purpose of maintenance is to ensure that all equipment required for production is operating at 100% efficiency always. Simply stated, it’s less to maintain than repair.

When you are fortunate enough to work for a company like SEM that employs a full department of service technicians, you know you are in great hands.  I recently walked out of my office, walked to the factory floor, and decided to interview the newest member of our team to the most senior and those not on service calls in between.  The result: “It’s like owning a car. “What’s more interesting, when I walked over to the business side and asked what are the three most important things you need when buying a car? Not one person said a maintenance plan.

Why are both conversations just as important? We want the shiny, solution-based machine to do the work it was intended: destroy after we decommission for security and compliance purposes in the data center.  Yes, those shiny machines are EPL listed, support the NIST standard, are approved for compliance with SOX and more, but wait — you are putting drives with platters 10 high through them, blades are shredding them, and you must maintain? Is that another set of decision makers and supply chain engagement? You bet that is.

The SEM service team

Back to the car.  Models don’t matter, users do.  The “business” purchases the machine, the “users,” the security staff, the facility ops, and the decommissioning team (or however you are structured) now must maintain it.  They don’t want to own this task in many cases. For the record, there are some data centers that are very appreciative of their people when doing this task — and they are doing it well.  It’s the minority.

I don’t change my own oil or rotate my tires; rather, I happily pay someone. As Don Donahue, head of our Technical Service Team, stated, “If you don’t maintain equipment, it will let you down.”  The net net: pay for maintenance upfront or pay for service at a higher cost later. In the end you are still going to pay. The question is, can you afford down-time? With what level of risk are you secure?

Safety — let’s go there.  If your car is making weird noises and you keep driving it, thinking “I’ll get to it after one more errand,” you’re gambling with your own safety. Likewise, if your data destruction device is making weird noises and you think “just one more drive to destroy,” you’re asking for trouble. It’s like the insurance company commercial: “We’ve been here, we’ve seen this”.  Don’t go there. Choose safety first, because it matters.

Whether brakes and tires or bearings and belts, parts wear out. Wouldn’t you rather hear the service maintenance person tell you they replaced the belts because there was wear without you asking or assuming everything was fine?

“But the operational manual says….”  Hold that phone.  Do you drive your vehicle the exact same way that I drive my Volvo? No.  Do you put the exact same drives through your destruction machine that we do? No. Manuals are guidelines, you can argue until the belts break but, in the end, I drive my car in the Northeast through horrors of snow and ice with no garage, while you drive your car in sunny California and have a climate-controlled garage. From humidity to environmental erosion to mis-use to proper use, no miles or hours on a machine will be the same.

Now you understand no two experiences are the same, but the common understanding is the necessity of maintenance of your machines. Each of us will value this investment differently, but which one of us will do it for preventative reasons and which one will do it as an emergency?

For the record, when I buy a car it’s about the maintenance and warranty – I spend too much time at SEM to not be smart – maintenance first and then the machine. By the way, my Volvo not only doesn’t break down – it’s also sapphire blue.

In-House Hard Drive Destruction: More Affordable Than You Think

June 27, 2018 at 10:43 am by SEM

What’s the best in-house hard drive destruction for today’s drives?

The most commonly used hard drives in today’s computing world are the 3.5”, 2.5”, and 1.8” form factor drives. In fact, they represent over 95% of the drives being used in today’s offices. Larger drives only represent a small portion of the drives that are in use today. So what is the best method of hard drive destruction?

Until recent years, a practical solution for in-house destruction was not available other than deleting software, drilling holes in the drives, burning, or other methods that are not very practical and did not guarantee any level of security. From a security standpoint, there is no substitute to controlling your own IT destruction program in-house, especially if user-friendly, affordable equipment is available that can be utilized by IT personnel.

Crush a Drive. Use an SEM Model 0101.

This device represents final destruction for some companies while other high security government organizations use them to disable drives after they have been magnetically degaussed to NSA standards. The Model 0101 takes up very little space (22” h x 10”w x 19” d) and can easily be transported to other locations. A deployment case is available for easy transport. The method of destruction is a hardened, pointed conical punch that comes in contact with the drive with 12,000 lbs. of force, causing trauma to the drive chassis and internal platter. The process takes about 10 seconds. While it sounds kind of menacing, this unit is actually quiet, safe, and requires minimal maintenance. It is also very affordable and ideal for in-house destruction.

Hard Drive Shredding. Try an SEM Hard Drive Shedder.

Several years ago, the average hard drive shredder needed its own building! It was so big that it was only practical for most organizations to use an outside destruction service or salvage company when HDD’s needed to be shredded. Nowadays, there are plenty of options. When volume or total destruction is needed, the SEM hard drive shredder series is your best solution. These units have amazing destructive power with a very small footprint. They will destroy from 500-3,500 drives per hour and power consumption is minimal. They are quiet, compact, and built to last. Numerous safety features are incorporated into the design. Maintenance is minimal and can be done by your own company personnel or by PM contract with the manufacturer.

What is Magnetic Degaussing?

Degaussing is a method for destroying hard drives that utilizes powerful magnets. The SEM Model EMP1000-HS meets NSA EPL (Evaluated Products List) guidelines for destroying classified drives. Other commercial grade degausses are also available from SEM. All units are extremely safe, compact, and very practical for in-house destruction. All degaussers can also be bundled with HDD shredders or crushers if drives need to be destroyed after magnetic erasure as required by NSA.

For more information, Please visit www.semshred.com or call us at 800-225-9292 to speak to your representative.