Keeping Data Sanitization Policies Square with Enterprise Security - eWEEK | eWeek

Keeping Data Sanitization Policies Square With Enterprise Security

eweek.logo.DataPoints-UPDATE
Écrit par
eWEEK EDITORS
eWEEK EDITORS
Mar 18, 2020
4 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

As data privacy legislation continues to expand across the globe, enterprise data management is quickly becoming a major headache for enterprise IT decision-makers responsible for compliance with new and existing consumer data privacy regulations, including the GDPR (2018) and the new California Consumer Privacy Act.

Senior IT leaders shouldn’t be alarmed, but concern over financial penalties and reputation damage for non-compliance is warranted. In Blancco’s recent report on the topic, research firm Coleman Parks surveyed 1,850 senior leaders at enterprises with 5,000+ employees in the U.S., Canada, U.K., France, Japan, India, Singapore, Australia and Philippines. It found that while most enterprises have policies in place (96%), an astounding 56% are not effectively communicating these policies companywide on a regular basis. This lack of consistent communication on data sanitization policies and processes increases the potential for data breaches. 

In this eWEEK Data Points article, Fredrik Forslund, vice president of enterprise and cloud erasure at Blancco, offers the top five takeaways from the study. He also shares the significance of these findings for enterprises seeking compliance with data privacy laws and regulations that aim to protect consumer privacy and give individuals more control over how their data is being used and stored.


Data Point No. 1: Successful communication of data sanitization policies relies upon both the policy owner’s experience and organizational structure.

The study’s findings show that while 68% of respondents believed that ownership of data sanitization policies is clearly communicated within their organization, 32% do not share this belief. According to survey respondents, the executives that “own” the policy vary widely from organization to organization: 18% of enterprises stated the data protection officer (DPO), 18% pointed to the head of operations, 17% said the head of IT operations, and 11% said the chief information security officer (CISO).

The inconsistency in policy ownership may contribute to varying levels of efficiency and success in communicating the policy companywide, but what’s more important is the individual’s experience and the overall organizational structure. Equally important is the owner’s awareness of the importance of communicating data policies and ability to execute.


Data Point No. 2: Equipment left in storage areas is putting companies at risk of insider threats and data breaches.

According to Verizon’s 2019 Data Breach Investigations Report, 34% of all breaches in 2018 were caused by employees. An even more alarming 2018 Forrester survey indicated that 53%of data breaches were the result of insiders, and more than half of those incidents were malicious in nature. While keeping old IT assets in storage is not in itself a threat, a risk of theft of unused equipment that might contain residual customer or company data is certainly real. 

Of the global enterprise executives surveyed our study, 87% admitted to not sanitizing assets as soon as they reach end-of-life, while 31% reported taking more than a month to sanitize these devices. Only 13% reported immediately sanitizing assets once they reach end-of-life.

Delays increase the risk of equipment loss, theft and data breaches as well as insider threats. Another interesting finding is that sanitization takes the longest in Germany and Singapore, with well over 50% of companies taking more than a month to sanitize or destroy equipment. 

The bottom line: Organizations should immediately sanitize end-of-life equipment as part of their overarching data sanitization policy, preferably by embedding a process that integrates data sanitization of all end-of-life IT assets into existing remote asset management processes. This removes unnecessary risk during asset decommissioning. 


Advertisement

Data Point No. 3: Flexible workers are most likely to compromise company data policy.

The gig economy and remote work have become part of the business landscape in the U.S. and across the globe. Unfortunately, one-third of respondents at the global enterprises we surveyed believed that flexible workers were the least likely to comply with data sanitization policies, while 40% believed contractors or freelancers were the least likely to understand or comply with data sanitization policies. This number drops slightly (33%) for respondents in the U.S. and Canada. To ensure compliance with regional, national and global consumer data privacy regulations, organizations must have a consistent data management and sanitization policy that applies to all employees—whether they are contractors, seasonal workers or full-time employees, both remote and onsite.


Data Point No. 4: Senior management is not taking direct responsibility for IT asset erasure.

While perhaps hard to fathom, 22% of respondents said that employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Another 22% said the responsibility is with their line manager.

One key concern with this process is whether the exiting employees or line managers are fully aware of or trained on the company’s data sanitization policy. And if not, who is verifying the PC or laptop has been sanitized correctly and no personally identifiable information remains? Again, communication and training are critical to maintaining company-wide data sanitization policies.


Advertisement

Data Point No. 5: Outsourcing data sanitization comes with risks.

More than a third of our respondents (34%) are sanitizing PCs, laptops, servers and data center equipment offsite at end-of-life. Outsourcing isn’t inherently a bad thing, but it does pose some risks, especially if organizations lack visibility into the chain of custody of their IT assets and have no way to prove that the data wasn’t compromised during the transportation process. If an organization has a data sanitization policy that requires all data is to be destroyed beyond recovery at end-of-life, it also should have the ability to prove this has been accomplished during an internal or external audit. It’s the company’s responsibility to require a detailed audit trail for the entire chain of custody and certified erasure at end-of-life for these assets.

If you have a suggestion for an eWEEK Data Points article, email cpreimesberger@eweek.com.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.