The UK economy is in recovery: can we be confident that the government is being prudent with the finances at their disposal? What about the physical destruction of SSDs?
In a time where the UK economy is on a path of recovery and the government is turning to the public to help rebuild it (through tax increases and inflation), can we be confident that the government is spending cash wisely?
2022 has seen the cost-of-living spiral with inflation at an all-time high, and a 1.25% increase to National Insurance tax. Yet the UK government and its public sector organisations are currently spending upwards of $6.9 million (£5.5 million) a year on the unnecessary destruction and replacement of solid-state drives (SSDs), despite the availability of more economical alternatives. An SSD is a data storage device widely used both independently and within laptops, desktops, and servers.
This overreliance on physically destroying data bearing assets is not only costing the UK government millions in taxpayers money, but it’s also an open invitation to bad actors to commit data fraud if the data on those devices is mismanaged. The environmental cost of physical destruction is a further concern, because of an increase in electronic waste (e-waste) during a global call for more prudent environmental stewardship.
A crippling lack of awareness
Just as it is in the private sector, public sector data management is undergoing profound shifts. COVID-19 has accelerated digital transformation initiatives, new ways of working and a heightened need for resiliency. Unsurprisingly, there has also been a sharp increase in data breaches and associated costs to deal with. And worldwide, governments are under pressure to deliver sustainability initiatives. All of these factors are putting pressure on public sector organisations to innovate, despite fiscal constraints.
Given this period of turbulence in data management, Blancco conducted a global research study to explore public sector SSD sanitisation practices revealing the extent of the financial and environmental costs of physical SSD destruction. The study found there to be a distinct lack of awareness of economical and environmentally beneficial alternatives, coupled in part with knowledge gaps around regulations and data protection laws.
In the UK just 47% of public sector respondents stated they were both aware of and knew in detail the 2018 Data Protection Act (DPA), which works alongside the UK GDPR. The situation this creates is one in which a lack of regulatory awareness can lead to limited options, poor practice, or miscommunication of appropriate, secure, or efficient methods for handling data, particularly data that is categorised below “classified” or “secret.”
Education on certified alternatives to physical destruction can also help to alleviate the financial pressure caused by spending millions each year on replacing SSDs that have been destroyed. The study found that 35% of respondents globally believed there to be no certified or approved vendor solution that provides a sustainable option for secure data destruction, highlighting a missed opportunity. There is an opportunity for legislators and regulators to investigate and share the details of certified alternative providers that deliver compliant solutions. Importantly, that will also enable more drives to be kept in the circular economy following appropriate processes to irreversibly remove the data on that device. Not only does that eliminate the need to purchase new equipment, but it is in keeping with initiatives to employ more sustainable models.
That information is classified
Of course, governments and public sector organisations are responsible for managing some of the most sensitive information. And it’s important to note that with this information, often categorised as “classified” or “secret”, physical destruction of SSDs or other data bearing assets containing highly sensitive data is mandated by law. However, that still leaves an opportunity to employ non-destructive options for non-classified data, and many regulations provide non-destructive options for secure data sanitisation. Those non-destructive options open up the possibilities to reuse more equipment which in turn lessens destruction costs, or alternatively readies them for the circular economy, where the device can be refurbished, recycled, or harvested for valuable rare metals and materials.
While recognising cost reduction is important for governments and public sector organisations, security and good cyber hygiene mustn’t be overlooked. There is no room for cutting corners when it comes to data protection and management. In addition to the environmental and financial drawbacks of using physical destruction, it’s important for organisations to realise that proper application of security is critical no matter what sanitisation method is chosen. Properly applied from beginning to end, encryption is very effective when used alongside physical destruction. However, encryption keys must be securely stored and managed to thwart attacks. To be confident that all data on a drive is truly protected, users must be diligent in how and when they execute encryption processes. And, the less sophisticated the encryption, the shorter the shelf life as decryption technologies get stronger and more sophisticated. For physical destruction to offer true security, no data storage areas can be left intact and destruction methods must be appropriate to the asset. Non-destructive options can provide an extra, immediate layer of security for the most sensitive of data when physical destruction is the only allowable choice.
Security might be top of the agenda, but some public sector processes for carrying out SSD sanitisation are concerning. While it could be that organisations are combining methods with physical destruction, a worrying 78% of respondents said that they reformat drives to sanitise them. Unfortunately, formatting alone can still leave drives vulnerable during transport or storage, and much of the data can be recovered with forensics tools easily available online.
Stepping towards a more sustainable future
From an environmental standpoint, widespread physical destruction simply isn’t sustainable. There are several outcomes to consider when ethically destroying any data storage asset: the working components from each device that can be reused, the minerals and elements that can be extracted, the leftover waste that contributes to landfill, and the natural resources required to meet demand for new, replacement IT assets. With e-waste now considered to be the “fastest growing domestic waste stream” it’s critical that organisations, both public and private, make strides to reduce their impact on the environment.
It may come as little surprise, therefore, that 93% of respondents to the global study said they have defined plans to reduce the environmental impact caused by destroying IT equipment. However, less than a quarter of public sector organisations globally are actively implementing those plans. Of those countries surveyed, the UK was in fact the top performer, but still only 31% of UK public sector respondents are in the implementation phase of those plans.
The true price of physical destruction is not just a financial one, but the potential cost to future generations. Greater urgency is required to tackle environmental issues and organisations must both take responsibility and invest in driving long term change. While there is much to do globally to improve sustainable practices, adopting practices to reduce waste, reuse equipment and minimise depletion of scarce natural resources should be happening now. Reduced physical destruction can be a step in the right direction for the public sector to reduce cost and protect the environment for generations to come.
Governments and public sector organisations have always been under the spotlight when it comes to spending. But with global e-waste projected to nearly double by 2030 and persistent calls for more environmentally aware government practices, it is increasingly urgent that government organisations consider sustainable alternatives that extend device life, maintain lock tight security and crucially save public services millions. To guide these organisations towards those outcomes, national policy makers must seek to steward financial, environmental and digital information resources entrusted to their care. They must work for increased awareness and regulatory reform, revisiting both policy requirements and tenders for appropriate, secure and sustainable device lifecycle management.
Written by Fredrik Forslund, VP enterprise, cloud and data erasure solutions, Blancco