Data sanitisation disjoint

Discrepancies between data sanitisation policy creation and execution is putting sensitive data at risk.

  • Friday, 7th February 2020 Posted 4 years ago in by Phil Alsop

New research launched by Blancco Technology Group, the industry standard in data erasure and mobile device diagnostics, explores the risks that some of the world’s largest enterprises are taking when creating, executing or communicating their data policies. In particular, Blancco’s study, Data Sanitization: Policy vs. Reality, produced in partnership with Coleman Parkes, reveals why these policies are not sufficiently defined and implemented to ensure the full data sanitization of their IT assets, throughout their entire lifecycle. 

Although 96 percent of the 1,850 senior leaders within these organizations have a data sanitization policy in place, 31 percent have yet to communicate it across the business. Twenty percent of respondents also don’t believe their organization’s policies are finished being defined. Overall, over half of organizations (56 percent) do not have a data sanitization policy in place that’s being effectively communicated across the full company on a regular basis. This is increasing the risks of potential data breaches. 

Further discrepancies between data sanitisation policy and execution within these organizations include:

  • Not taking direct responsibility for IT asseterasure – 22 percent of employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Another 22 percent place this responsibility with their line manager. If data sanitization policies haven’t been communicated to either party effectively, the chances of sensitive information being leaked as a consequence of insufficient erasure increase dramatically. 

 

  • Leaving equipment languishing in storage areas– 87 percent of global enterprises admitted not sanitizing assets as soon as they reach end-of-life, while 31 percent reported taking more than a month to sanitize these devices. This puts companies at risk of equipment loss, theft, and data breaches. 

 

  • Performing offsite erasure – 34 percent of enterprise organizations are sanitizing PCs and laptops offsite at end-of-life. Working with a third-party provider to sanitize equipment offsite isn’t necessarily a bad thing, but it does present certain risks, particularly if organizations don’t have complete visibility into the chain of custody for their IT assets and have no way to prove that the data on their assets wasn’t compromised during the transportation process. Any external contractor needs to provide detailed audit trails for the entire chain of custody and certified erasure at end-of-life for these assets.
  • Lacking clear ownership of data sanitization policies – although 68 percent of respondents felt that ownership of data sanitization policies is clearly communicated within their organization, when asked who was responsible for their implementation, 18 percent of enterprises stated the Data Protection Officer (DPO), 18 percent the Head of Operations, 17 percent the Head of IT Operations and 11 percent the Chief Information Security Officer (CISO). This lack of clear ownership could suggest enterprises consider data sanitization to be a “‘checkmark”’ exercise that must be done to satisfy compliance or operational requirements and that they are not taking data risks seriously. 

“The lack of robust data sanitization policies across global enterprises is alarming,” said Fredrik Forslund, Vice President, Enterprise and Cloud Erasure Solutions at Blancco. “If they fail to formulate and communicate these policies effectively, at every stage of the data lifecycle, they risk putting significant amounts of potentially sensitive data at risk. It is vital they put processes in place, with clear ownership, and auditability for control, assigned to their senior leadership team to mitigate these risks.”

Other key global findings include:

  • A third of the enterprises surveyed also felt that flexible workers were the least likely to comply with data sanitization policies, while 40 percent believed contractors or freelancers were the least likely to understand or comply with their data sanitization policy. 
  • There is not only a lack of clear ownership around the implementation of data sanitization policies but also a lack of accountability regarding how enterprises are complying with them. The responsibility is spread across different job roles including the Head of Compliance (30 percent), Head of IT Operations (15 percent), Head of Operations (14 percent), Head of Legal (11 percent) and DPO (9 percent), leaving enterprises open to compliance breakdown and fines.

 

Key U.S. and Canada findings include

  • Thirty-three percent of respondents in the U.S. and Canada believe that flexible workers, who work at home or remotely, are the least likely to comply with data sanitization policies – implying that they may pose a security risk. 

 

  • Thirty-two percent of employees in enterprises in the U.S. and Canada are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Nineteen percent place this responsibility with their line manager.  

 

  • More than a third (32 percent) of enterprises in the U.S. and Canada also stated that they are placing their Head of Compliance in charge of complying with their data sanitization policies which is encouraging. However, only nine percent are giving this responsibility to their DPO.

Key U.K. findings include: 

  • Despite 97 percent of U.K. companies having a data sanitization policy in place, more than a third (37 percent) have yet to communicate it across the business. Overall, nearly half of companies (42 percent) do not have a data sanitization policy in place that’s being effectively and regularly communicated across the organization.
  • 20 percent of employees in U.K. companies are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. 35 percent place this responsibility with their line manager.  

 

  • Worryingly, 58 percent of U.K. enterprises also reported not being aware of when their organization’s IT security policy was last updated and 56 percent aren’t clear about what it contains, the highest percentage points from all the countries surveyed.