Third of WW Largest Enterprises Use Inadequate Data Sanitization

A research launched by Blancco Technology Group outlines the current misconceptions that prompt so many decision makers to mistakenly choose inadequate data sanitization methods and put their organizations at risk.

The study, A False Sense of Security, produced in partnership with Coleman Parks Research, highlights how global enterprises’ overconfidence is exposing the organizations to the risk of data breach, at a time when proper data management should be at the forefront of everything they do.

73% agreed that the large volume of different devices at end-of-life leaves their company vulnerable to a data security breach, while 68% said they were very concerned about the risk of data breach related to end-of-life equipment.

This survey of 1,850 senior leaders from the world’s largest enterprises in APAC, Europe and North America reveals that more than one in three organizations take considerable risks with the way they sanitize data at end-of-life.

These risks include:

• Using inappropriate data removal methods – 36% reported using data wiping methods such as formatting, overwriting using free software tools or paid software-based tools without certification or physical destruction (both degaussing and shredding) with no audit trail. These methods are not fully secure and can leave businesses open to potential security and compliance issues. But what’s of particular concern is that 4% of these enterprises are not sanitizing data at all, leaving them wide open to attacks.
• Keeping large stockpiles of out-of-use equipment within the company and not dealing with them within a suitable time frame – 80% of enterprises admitted having a stockpile of out-of-use equipment sitting in storage and 57% reported taking longer than two weeks to erase devices, adding to the risks of potential internal data breaches and lost data.
• Failing to maintain a clear chain of custody with an appropriate audit trail for end-of-life assets, including during transportation to an offsite destruction facility – 17% of enterprises report not having an audit trail for the physical destruction process, and 31% admitted not capturing the drive serial number. This lack of chain of custody controls means these enterprises are running the risk of data breaches and non-compliance.

The research also reveals that 17% of global enterprises use physical shredding or degaussing for end-of-life devices, even though shredding does not always provide a true, certified audit trail that spans the full chain of custody lifecycle.

“Global enterprises are clearly concerned about data when devices reach end-of-life; however, despite knowing the risks involved, many still choose to use an inadequate approach to protect their organization,” said Fredrik Forslund, VP, enterprise and cloud erasure solutions, Blancco. “This points to a huge and worrying knowledge gap within the sector and among senior leaders about the security and compliance implications of physical destruction and end-of-life equipment lying around.”

Other key findings include:

• 20% of global enterprises (33% in U.S./Canada and the UK) do not have a different process for dealing with SSDs compared to HDDs and are running the risk of not having all the data appropriately sanitized and being in non-compliance with industry standards.
• The enterprises surveyed also reported that 18% of their devices are left somewhere within the company with no action. This highlights a huge security issue and one that should be dealt with immediately.

Key North America findings include:

• Enterprises in North America are using different data removal methods to remove data from their end-of-life devices. 15% are physically destroying devices (both degaussing and shredding), 13% are using formatting, 13% are using overwriting using free software tools, 10% are using cryptographic erasure/encryption and 8% are using overwriting using paid software-based tools without certification.
• 75% of US and Canadian respondents reported having end-of-life devices stockpiled in their storage. They also admitted leaving them unused for some time. 44% of companies in North America wait more than two weeks before erasing end-of-life equipment.
• 65% of US and Canadian respondents raised concerns about the risk of a data breach with end-of-life equipment, and 70% agreed that the number of different devices at end-of-life leaves them vulnerable to a data security breach. Nevertheless, 77% still have full confidence in the secure erasure for data sanitization within their organization.

Key UK findings include:

• Many UK enterprises reported using a variety of data removal methods. 22% use formatting, 15% use cryptographic erasure/encryption, 11% use physical destruction (both degaussing and shredding), 6% use overwriting using free software tools and 5% use overwriting using paid software-based tools without certification. But what’s the most alarming is that 9% have no method to wipe data.
• Worryingly, 85% of UK enterprises also confessed having a stockpile of out-of-use equipment sitting in storage. In addition, enterprises are leaving devices unused for some time. Only 16% of UK companies said they are erasing end-of-life equipment immediately while 35% wait more than 2 weeks to erase devices, adding to the risks of data breaches and lost data.
• When asked about their security concerns over end-of-life equipment, 52% agreed that the plethora of different devices at end-of-life leaves them vulnerable to a data security breach while 57% were very concerned about the risk of a data breach with end-of-life equipment, the lowest percentage points from all the countries surveyed.

Methodology
The primary research was commissioned by Blancco Technology Group and conducted by Coleman Parkes in August 2019. The sample was comprised of 1,850 senior decision makers including heads of compliance, CFOs, financial directors, ITAMs, CISOs, IT security VPs, data protection officers and heads of operations, from 1,850 organizations with 5,000+ employees.

The sample was divided between the UK, USA, Canada, Germany, France, Japan, India, Singapore and Australia and covered several vertical markets: healthcare, public sector, pharmaceutical, financial services, technology, defense, legal, manufacturing, energy, transport and advisory.