Data breaches are an inescapable casualty of modern life as we know it. As technology dominates our world – and our businesses literally live on the Internet – it’s not a case of if we’ll be attacked, but when. And despite regulation such as the European GDPR introduced to crack down on data mismanagement, the sheer volume of data compromised on a daily basis shows no sign of slowing. In fact, a staggering 160,000 data-breach notifications have been filed in the first 18 months since GDPR was instated.
As we navigate this new world order, a shift in attitudes and focus is imperative. While breaches and a fear of incurring fines from regulatory compliance failures has placed this issue high on the boardroom agenda, organizations are still not doing enough. Perhaps even more worrying, is the fact that a significant number of organizations have misplaced their confidence in some of the most common industry misconceptions when it comes to data management best practices.
It’s too often the case that the focus is on securing data at the enterprise level, but that not enough attention is being placed on managing data throughout its lifecycle. Increasingly enterprises are hoarding data and stockpiling out of use hardware without proper methods of data sanitization in place to clean up devices. This only seeks to increase the attack surface and further increase the risk of a breach. To tackle this mounting adversity, it’s time we adopted a new role. We must become data stewards at every level, to responsibly manage data and ensure the highest quality of critical data elements.
A false sense of security
In a recent study [commissioned by Blancco], it was revealed that one-third of the world’s largest enterprises use inadequate data sanitization methods to prevent data breaches at end-of-life. This raises significant concerns as proper data management should be at the forefront of everything an enterprise does. Despite a considerable number of enterprises lacking the appropriate data sanitization processes for managing data at end-of-life and on decommissioned equipment, 73 percent of enterprises surveyed agreed that the large volume of different devices at end-of-life leaves their company vulnerable to a data security breach.
However, organizations have seemingly lulled themselves into a false sense of security by stockpiling old IT equipment, rather than following best practices and erasing the data that remains. It’s often a case of out of sight, out of mind. But, should that equipment become lost or stolen and the data on it unaccounted for, there’s a massive risk of a breach. Burying away old equipment is not only a potential breach of security, it can also seriously hurt pockets. The fines for regulatory compliance failure are potentially eye-watering and further to that, the cost of storing equipment that no longer serves a purpose to the business is expensive - two-in-five global firms waste over $100,000 per year hoarding outdated IT equipment.
The common pitfalls of data sanitization
But where else are organizations taking risks with their data sanitization practices? Primarily, the use of inappropriate data removal methods raises most concern. Our study revealed that 36 percent of enterprises use data wiping methods such as formatting, overwriting using free tools or paid software-based tools without certification or physical destruction with no audit trail. The issue with each of these methods is they are not fully secure and can leave enterprises open to potential security and compliance issues.
It’s worth noting that physical destruction with an audit trail is in many cases a valid method of sanitization, however, with the increasing popularity of Solid-State Drives (SSDs) some new issues have arisen. Physical destruction can only guarantee complete data sanitization of SSDs if the shred size is as small as two millimeters, significantly smaller than the output of shredders commonly used in the destruction of normal magnetic storage. Degaussing is another method that, similarly, works when removing data from magnetic HDDs, but is entirely useless if used to remove data from SSDs.
Another issue that arises when stockpiling of out-of-use hardware, is that too many organizations don’t have processes in place to quickly execute data erasure on a decommissioned device. The longer a device sits in storage only increases an enterprises potential liability and risk. 57 percent of enterprises we surveyed admitted taking longer than two weeks to erase data on hardware that had reached end of life.
And last but not least, some organizations don’t have a clear chain of custody with their IT assets, including during transportation to offsite destruction facilities. 17 percent of global enterprises reported that they don’t have an audit trail in place for the physical destruction process, and 31 percent admitted to not capturing the drive serial number. Without a comprehensive audit trail of all IT assets from purchase right through to end-of-life, organizations are putting themselves at risk of compliance failure.
Furthermore, enterprises are neglecting their duty to care for the data in their possession, by not acting on data management best practice. This places greater emphasis on the need for data stewardship.
So, what constitutes best practice?
There are several facets that are important in achieving data sanitization best practice. Firstly, the policies need to be up-to-date and well communicated across the enterprise. Too often we see companies implement new practices but fail to communicate them on a company-wide level. Also, the value of data stored needs to be regularly reviewed. When data no longer holds value to a business it should be totally and irreversibly removed, and the only way to guarantee that complete removal is through data erasure.
Best practice must include the integration of data sanitization into an asset management process, ensuring remote and immediate erasure of any asset that is reassigned or has reached end-of-life. A full audit trail is needed. And it’s essential that any delays in processing data for erasure are minimized, to mitigate risk. It will also benefit operational efficiency if you can automate the data sanitization process on top of your existing processes.
Organizations need to avoid stockpiling old IT assets wherever possible. Not only are they a compliance risk, but quite often the device or its parts can be processed for resale on the secondary market. This unlocks some of the latent value of the device and helps reduce global e-waste. Finally, if physical destruction is part of your enterprise's data sanitization process, then steps must be taken to ensure different methods are used for SSDs, paying attention to shredding standards.
Data sanitization should no longer be viewed as a “nice-to-have” element of wider data management practices, within an enterprise. Gartner recently stated that “growing concerns about data privacy and security, leakage, regulatory compliance, and the ever-expanding capacity of storage media and volume of edge computing and IoT devices are making robust data sanitization a core C-level requirement.”
It is therefore vital that data is secure and regularly evaluated across its entire lifecycle, to constitute proper data management in accordance with regulatory compliance. Crucially there needs to be an element of care, and enterprise employees must adopt a data stewardship role. The risk of not doing this is to face potential data devastation.
