Having spent 10+ years in the hardware recycling industry, I’ve seen firsthand how the best organizations in the world keep data secure at the end of the hardware lifecycle. In this blog post, I’ll share what I’ve learned: best practices for hardware disposal, how data destruction has evolved over the years, and why organizations must adapt their end-of-life IT asset management strategy to become more secure, efficient, and sustainable.
With data breaches becoming increasingly common, protecting sensitive data is now more important than ever.
In this blog post, we’ll explore how to keep data safe during hardware disposal — sharing modern-day best practices for data sanitization, hardware disposal, asset management, and more.
Data sanitization and destruction: past and present
When a device is ready to be disposed of, data destruction is critical for protecting sensitive information and minimizing risks of data leaks. But data destruction and sanitization methods have evolved over the years, reflecting changes in technology and environmental concerns.
The traditional method of data destruction
A decade ago, physically destroying hard drives on-site was a standard procedure to prevent data theft. At the time, computers were modular, and hard drives were unencrypted and could easily be removed. This posed a very real risk of sensitive data being accessed by unauthorized individuals. Additionally, the risk of transporting unencrypted devices led to a preference for on-site shredding, due to concerns that a lost device during transport could lead to a data breach.
For many forms of hardware — though not all — the traditional method of physical destruction has fallen out of favor. Other methods are equally secure, while also being more environmentally friendly and cost effective.
On-site vs. off-site destruction
Physical destruction can happen two ways: on- and off-site. On-site shredding requires an e-waste partner to visit a client’s office and shred hardware, typically in the client’s loading dock. This approach, however, carries several risks and drawbacks.
With the shift from desktops to laptops as the primary form of deployed hardware, especially post-Covid, laptops pose unique challenges to destroy. Hard drives are now permanently soldered onto motherboards, making their removal or destruction challenging. Additionally, the batteries in laptops are often glued in, making their removal extremely difficult. In many cases, accessing the motherboard requires removing the battery, adding another layer of complexity to the process.
Following NIST 800-88 guidelines, which mandate either a destructive rewrite process or physical destruction, remains essential. A decade ago, compliance often meant on-site shredding. This solution was practical given the types of machines in use and how easy it was to remove a hard drive from a desktop computer. However, with the shift to laptops as the primary data-bearing asset and evolving hardware designs, this method is no longer as effective.
Additionally, it’s recommended that an IT professional from the client’s side supervise the shredding process — a time-consuming task that detracts from their ability to work on critical tasks. On-site shredding services are not only costly and time intensive, but also generate metal dust, which poses significant health risks when inhaled.
In contrast, most hardware that requires destruction can be done off-site at the vendor’s facility, eliminating the need for complex and resource-intensive on-site procedures. The hard drive shredders at off-site facilities are typically more powerful than mobile shredders, resulting in a more efficient destruction process. This efficiency not only saves time, but also alleviates the need for IT personnel to be present during the shredding and reduces costs, streamlining the overall procedure.
The new approach to data destruction
For modern companies that were built in the cloud, there is generally little need to physically destroy devices, with the exception of specific scenarios (for example, broken devices beyond repair or failed hard drives).
With the ability to lock computers via MDM, robust data encryption, and fortified endpoint security, breaking into today’s laptops is virtually impossible. This holds especially true for mobile devices like phones and tablets, which are notably challenging to destroy. All of these factors have compounded the complexity of physical destruction, whether it’s done on- or offsite. Moreover, it also makes the process more expensive, despite its growing obsolescence.
Historically, desktop computers were not disposed of until their data was destroyed, due to concerns about data breaches throughout the supply chain. While software-based data wiping was always an option, removing and shredding the hard drives was often faster and simpler. Today, this is no longer the case. Modern hard drives, which are securely locked, can be easily transported with significantly less risk. For example, in a workforce with remote or hybrid employees, the standard procedure of shipping back a laptop upon an employee’s departure is both secure and efficient. The laptop, which has substantial data on it, is shipped back with minimal risk.
Today, data destruction is primarily done through software. Hardware recycling vendors use world-class data erasure software that guarantees the secure and permanent removal of sensitive data. The software issues individual Certificates of Destruction (CODs) per data-bearing asset, proving that data has been disposed of (provided that it was successfully wiped). If a device is unable to be wiped, it will undergo physical destruction. However, the proportion of devices requiring this measure is steadily decreasing. It’s worth noting that wiped computers often result in higher earnings than destroyed ones. In most cases, the destruction process ends up incurring service charges for customers.
To further safeguard data, a reputable recycling vendor’s data sanitization should meet or exceed the standards set forth by both NIST 800-88 and the Department of Defense. Additionally, their processes should be independently audited by a third party, verifying that they’re following the processes they built. They should be certified in ISO 9001, ISO 14001, and ISO 45001 — the industry standards for third-party auditing.
Best practices for secure hardware disposal
To ensure data security throughout the hardware disposal process, here are some best practices:
- Wipe all data-bearing devices before you give them to a recycling vendor. You have the option to use an MDM or do it manually, though the latter approach is less efficient. Although your vendor will conduct their own data wiping process, doing it yourself provides an extra layer of insurance.
- Keep applicable devices enrolled in your MDM program — do not remove it from Apple DEP, Jamf, Microsoft Intune, etc. Wait for the vendor to send you an initial serialized report of received assets before removing them from the MDM.
- For seamless hardware disposal, make sure all hard drives are encrypted and that your username and password-protected devices are controlled via MDM.
- Prepare a list of all assets being given to the recycling vendor. This can be generated from your ITAM tool by filtering by the designated status for retired devices. Include non data-bearing end-of-life assets as well.
- If an ITAM system isn’t in place, you have the option to manually compile a list of assets with serial numbers, model numbers, and makes, since your assets are still enrolled in your MDM with encrypted hard drives. However, it’s worth considering the necessity of this task for fully depreciated, locked down assets. Creating a detailed list is beneficial if you’re required to track data-bearing assets like servers or laptops for security purposes. Alternatively, another method would be to photograph your assets and perform a hard count of each device, which can then be reconciled against the final report from the vendor.
- Create a procedure for managing broken devices. This policy should involve sending damaged devices to a designated repair partner. Once there, assess the repair costs to determine whether to fix the device or designate it as end of life. These devices are important because many of them are data-bearing machines that do not boot, and data cannot be wiped from them.
- Retrieve all devices from any existing employees. Having full control over hardware lifecycle management is an integral part of data security, and getting remote laptops back is becoming increasingly more difficult.
Traditional vs. modern approaches to end of life & IT lifecycle management
Over the past decade, end-of-life processes have evolved significantly. Modern IT lifecycle management marks a shift toward more efficient, sustainable, and technology-driven practices. This transformation represents a more cost-effective and data-secure way of handling IT assets, aligning with modern business needs and environmental sustainability.
Today, organizations must adapt to protect sensitive information. Effective data destruction, efficient tracking, secure hardware disposal, and choosing the right recycling partner are all critical steps to mitigate risks and ensure compliance.