When your company sends any piece of IT equipment to be recycled or resold, you must be sure that any data stored on its hard drives or other storage media has been or will be completely erased. The reasons are obvious; data security is a major priority for companies these days. The costs associated with a data breach far exceed the investment in a reliable data sanitization process. But are you doing data sanitization the right way? Here are three common misconceptions we’ve encountered when we talk to companies about their data sanitization plans:

1. We think it’s more secure to do it ourselves

Having your in-house IT team perform data sanitization might, at first blush, seem like the most secure way to go. After all, who do you trust more than your own employees? But it’s that trust you already place in them that might make your IT team members a less-than-ideal choice. Their workdays are already overloaded with the many different responsibilities with which you’ve entrusted them. As dedicated as they are, they can’t give the same amount of attention to data sanitization as a team that focuses exclusively on it. Larger hard drives can take an hour or more to complete the erasure process. On top of that, to perform data sanitization right, you need to carefully check and document each drive for a successful erasure. Does your IT team have time to do all this, every time, alongside their already-heavy workloads? If they rush the process, they might make mistakes. We have found that as many as 10 percent of the drives we receive from companies that do their own data sanitization still contain some form of data. If you’re concerned about data security, that’s a pretty big risk.

2. We prefer to destroy our drives, so we don’t need data sanitization

This may ensure security, but it also can be a potential waste of value and resusable assets. While physical destruction of hard drives (done properly) certainly does ensure the data stored on them won’t reach the outside world, the lack of hard drives also significantly reduces the value of remarketed IT assets. If your company is looking to increase the ROI of its IT asset disposition program, consider leaving hard drives intact when you designate equipment to be resold. In these cases, a proper data sanitization procedure that uses methodology compliant with the NIST 800-88 standard is generally considered equal in security to the physical destruction of hard drives. Your IT asset disposition provider should be able to help you identify market trends and the impact a missing hard drive will have on resale values.

3. We can rely on the same data sanitization vendor we’ve been using for years

The risk of data breach is too great to leave responsibility for data sanitization in unproven hands, even if they’re the same hands to which your company has been handing its retired IT assets for years. Do you know which tools your vendor uses and if those tools can be relied upon for complete data erasure? Do they provide data sanitization reports by serial number? Have its employees received proper training and background checks? Most importantly, are they certified? Certifications by leading third-party organizations validate your vendors’ compliance and capability. In the realm of data sanitization, the leading certification to look for is AAA certification from the National Association for Information Destruction. When a data sanitization provider has earned NAID AAA certification, it shows they have been audited by a third party for meeting standards for process, facilty security, employee training and background checks, and documentation. Other misconceptions about data sanitization

These are just three of the common misconceptions we’ve encountered about data sanitization. We’ve compiled more in our free guide, “10 Myths About Data Erasure.”