The cost of a data breach can be astronomical. Each record lost is estimated to cost a business $141. While individually that doesn’t seem like much, consider the scale. When an enterprise business comes under attack, the number of records can mean a $3.62 million price tag. With businesses investing in more hardware—31 percent of IT budgets are earmarked for hardware purchases—it opens the door to a new possible security breach. Outdated hardware often contains sensitive information, meaning that businesses don’t just need to watch for frontline attacks, they also need to watch the back door of data disposal. When trying to keep data out of the wrong hands, several challenges present themselves.

1. Creating Clear Disposal Policies

When upgrading to new systems, tossing old systems into the trash or donating them to a nonprofit might seem like the most efficient solution, but without solid policies in place to guide when, and more importantly how, these disposal options are handled, you might be giving away your corporate data for free. A surprising amount of sensitive information may be stored locally on devices, making it important for your business to have a checklist in place for what to do with any decommissioned device that has internal storage.

2. Controlling Shadow IT Devices

Your company may not hand out flash drives or load data onto discs, but that doesn’t mean employees are as discriminating. To get the job done, employees will often adopt processes that don’t have a security-first mindset. For example, someone in marketing might download a list of leads to a flash drive for a quick handoff to the sales department. If that flash drive isn’t part of your IT inventory, how do you know what happens to it, and the data stored on the drive?

3. Managing BYOD Mobile Situations

Handing out smartphones to dozens or hundreds of employees can get expensive, which is why many companies have switched to a Bring Your Own Device model. When employees use their own phones to access sensitive information, they may not have enough security installed to protect it, and what happens to their existing phone when they upgrade? All of these questions should be part of any decisions about mobile policy and data access.

4. Decisions about Encryption vs. Erasure

Permanently deleting data from hard drives is virtually impossible, which may be one reason to implement physical destruction for older drives. With newer solid-state drives, sometimes encryption is a better solution than erasing data. After all, you have a limited nmumber of times you can re-write to these drives before they become inoperable. Top-level encryption can keep your data alost as secure, without the need for a NIST-licensed incinerator.

5. The Challenge of Total Data Destruction

Most storage devices don’t easily delete data. Shadows are left behind. With the right software, a hacker can come along behind you and recreate a lot of the content you ‘deleted.’ For actual data disposal, physical destruction of the storage device is the most secure method. That doesn’t mean taking a hammer to your old servers, but it does mean pulling your drives and sending them to a disposal facility. This process is time-consuming and expensive, so it should only be implemented for your most private storage units.

Many businesses are moving toward cloud-based solutions, in part to avoid some of these challenges. When your sensitive data is stored elsewhere, you don’t need to worry about disposal, though you will want to know how your vendor handles the issue.