More data than ever is being produced, but, with cyberthreats similarly growing, disposing of this data securely is crucial if businesses are to avoid potential breaches – and resellers have an important role to play.
As technology advances, especially with the advent of artificial intelligence, the amount of data being produced continues to rise markedly. By 2028, Statista predicts that there will be 394 zettabytes of data consumed, up from 149 zettabytes in 2024. Given that a zettabyte is equal to 1 trillion gigabytes, that is a huge number.
But data often has a shelf life for businesses, and when it is no longer useful it needs to be disposed of. But with cyberthreats continuing to increase, care must be taken to ensure it is done with no chance of it being recovered.
“Data privacy laws, including GDPR, require organisations to properly handle and permanently erase personal and sensitive information when it’s no longer needed or upon request,” says Ross Brewer, VP and managing director of Graylog. “Simply deleting files or wiping a drive isn’t always enough. Organisations must follow recognised standards for data destruction, such as NIST 800-88 or DoD 5220.22-M, to ensure that data cannot be recovered.”
Gavin Griffiths, managing director of Insurgo, adds: “What makes disposal more urgent is not just the increasing amount of data but the more powerful recovery technologies and advanced hacks the market sees each year. Even those we are unaware of yet, which companies spend millions on attempting to defend and deflect.
“Hackers’ skills will continue to advance alongside these advancements and they are always looking for the easy open back door.”
John Woolley, chief commercial officer at Insurgo, adds that amount and appropriateness are two separate concerns. “Amount drives decisions on where to store data,” he says. “The more places that data is stored, the wider the attack vectors become. The decisions that organisations make balance cost and performance. Especially since the larger volumes currently are being driven by AI workloads.
Regardless of whether organisations store data within their own boundaries or in public cloud offerings, the underlying technologies remain the same. SSD or magnetic media (disk and tape).”
Evolving methods
With much of business data today stored in the cloud, physical methods of destruction, such as shredding hard drives, are less relevant. “In the cloud, companies now rely on encryption and secure deletion protocols to ensure data is completely removed,” says Ross.
“Cloud providers often offer ‘data erasure’ services where they wipe data from their servers according to industry standards, and many of them have certifications (like ISO/IEC 27001) to show they have followed the protocol.
“Cloud services also enable remote wiping, which is critical in cases like employee turnover or device loss.
“Effective encryption key management is critical in cloud environments, as is the use of ‘crypto-shredding’, which is a modern cloud-native method (destroying encryption keys), increasingly common as an efficient, secure deletion method.”
Alyssa Blackburn, program manager, information management at AvePoint, adds that information lifecycle practices and processes must be built into systems from the outset. “But this means we need to understand the data we’re capturing and how long it needs to be retained for,” she says. “This is not just a deletion issue, but a data governance issue that needs to be considered for any system that holds information.
“This is not an issue that can be tackled manually, and automation truly is the only option. Use lifecycle management solutions to track, manage and securely destroy data. It’s also crucial to implement regulate audits and secure protocols to ensure data disposal aligns with legal and security requirements in the cloud.”
Gavin adds that responsibility needs to be considered. “Most cloud providers believe they have a robust policy for data security, but that’s their responsibility for the service provision. For the data owner, storing data in the cloud, the liability will never move from them. It doesn’t matter who leaks the data, whether it’s your infrastructure or a third party, the data owner is always going to be held accountable.
“We should include a cradle-to-grave and any afterlife considerations of IT equipment and know exactly what is happening in any end-of-life process. The data owner must take responsibility for EOL practices seriously. Don’t assume it is part of the cloud provider’s processes and acceptable standards. If you don’t know it or understand it; question it and even add to this with your acceptable policy requirements or suggested guidance you want to see implemented.”
Best ways to dispose of data
There are various ways that data can be disposed of once it has reached the end of its useful purpose. Gavin says that different devices and formats require different disposal techniques to achieve absolute data destruction. “If we take our tape world as our known example, companies tend to think shredding is the best way to dispose of tape, but with growing capacities, we leave about 12GB of information on a 10cm strand of film,” he says.
“That’s why we believe it is important to seek out industry specialists who deeply understand the specific data-carrying media a company uses and the risks they may be exposed to.”
John notes that businesses should choose what is appropriate for the level of risk, so partners should ensure they understand the recovery risks so they can make an informed decision that protects the organisation from exposure and supports its ESG goals.
Ross adds that in cases where data is encrypted, it’s important to decrypt and then securely erase it. “Simply deleting encrypted files isn’t sufficient – due to residual metadata, indexing and cached information potentially leaving recoverable fragments,” he says.
“In cloud environments, cloud providers typically implement secure data erasure protocols that follow established standards like DoD 5220.22-M or NIST 800-88, ensuring data is permanently removed from their systems. Additionally, organisations can work with specialised third-party data destruction services, which offer secure disposal processes and provide official certificates of destruction to verify compliance with legal and regulatory requirements.”
Reseller conversations
When resellers are talking to customers about data destruction, there are certain things that should be highlighted. For instance, regulatory and legal obligations, such as those under GDPR, HIPAA, or industry-specific frameworks, should be noted, says Ross. “Resellers should explain the potential consequences of non-compliance, including fines and reputational damage,” he adds.
“Data security and confidentiality should be emphasised, particularly when dealing with outdated or decommissioned equipment that may still contain sensitive information. It’s also important to explain the role of certifications and standards, such as NIST or ISO, and the value of receiving a certificate of destruction as proof of compliance.
“They need to remind their customers that data disposal isn’t just a compliance issue – it’s a core trust and competitive differentiator. Organisations demonstrating impeccable data governance increasingly gain competitive advantages.”
Gavin says resellers should act more as consultants, not just solution providers. He adds that resellers should help customers take ownership of their data risks, identify specific product types and understand what they require to meet compliance, recommend solutions based on risk appetite and the potential legal exposures and regulatory impacts (and how to lower them) and offer solutions that provide full traceability and even forensic-level proof of absolute data destruction.
“Emphasise that environmental impact matters too,” he adds. “Disposal can and should support sustainability by reusing or lowering the environmental impacts of processing and equipment destruction.
“Also, make it clear to customers that data security compliance is not about picking a standard to adhere to or following best practices and guidelines. It helps, but it is about getting involved and choosing which path your security should follow.”
John agrees, adding: “Use domain knowledge to help steer the customer into the right decisions through advisory. So many times I’ve heard ‘my customers aren’t asking for this’, when in truth most customers don’t know that the options are available. Be pragmatic, be knowledgeable, be prepared to bring in those who know. Challenge their thinking and you may reshape the whole opportunity.”
Alyssa says that organisations need to have comprehensive data governance strategies, and resellers can and should discuss this with their customers. “First, customers need to have a deeper understanding of their data, including a birds-eye view of permissioning, security exposures and more,” she says. “They can do this by using tools that perform this work automatically, generating reports that describe different levels of exposure across the organisation.
“Second, when customers understand their data and where the main issues are, partners can help them to implement practical steps to do something about it. This includes eliminating or destroying outdated data and tagging and classifying data according to relevance and risk.
“Once this is complete, the third step is to keep going and to perform this work on an ongoing basis. Organisations keep accumulating data, so this isn’t a one-and-done thing; it needs to continue on an ongoing basis.”
