Keeping Data Sanitization Policies Square With Enterprise Security

eWEEK DATA POINTS: Why a lack of consistent communication on data sanitization policies and processes increases the potential for data breaches.


As data privacy legislation continues to expand across the globe, enterprise data management is quickly becoming a major headache for enterprise IT decision-makers responsible for compliance with new and existing consumer data privacy regulations, including the GDPR (2018) and the new California Consumer Privacy Act.

Senior IT leaders shouldn’t be alarmed, but concern over financial penalties and reputation damage for non-compliance is warranted. In Blancco’s recent report on the topic, research firm Coleman Parks surveyed 1,850 senior leaders at enterprises with 5,000+ employees in the U.S., Canada, U.K., France, Japan, India, Singapore, Australia and Philippines. It found that while most enterprises have policies in place (96%), an astounding 56% are not effectively communicating these policies companywide on a regular basis. This lack of consistent communication on data sanitization policies and processes increases the potential for data breaches. 

In this eWEEK Data Points article, Fredrik Forslund, vice president of enterprise and cloud erasure at Blancco, offers the top five takeaways from the study. He also shares the significance of these findings for enterprises seeking compliance with data privacy laws and regulations that aim to protect consumer privacy and give individuals more control over how their data is being used and stored.

Data Point No. 1: Successful communication of data sanitization policies relies upon both the policy owner’s experience and organizational structure.

The study's findings show that while 68% of respondents believed that ownership of data sanitization policies is clearly communicated within their organization, 32% do not share this belief. According to survey respondents, the executives that “own” the policy vary widely from organization to organization: 18% of enterprises stated the data protection officer (DPO), 18% pointed to the head of operations, 17% said the head of IT operations, and 11% said the chief information security officer (CISO).

The inconsistency in policy ownership may contribute to varying levels of efficiency and success in communicating the policy companywide, but what’s more important is the individual’s experience and the overall organizational structure. Equally important is the owner’s awareness of the importance of communicating data policies and ability to execute.

Data Point No. 2: Equipment left in storage areas is putting companies at risk of insider threats and data breaches.

According to Verizon’s 2019 Data Breach Investigations Report, 34% of all breaches in 2018 were caused by employees. An even more alarming 2018 Forrester survey indicated that 53%of data breaches were the result of insiders, and more than half of those incidents were malicious in nature. While keeping old IT assets in storage is not in itself a threat, a risk of theft of unused equipment that might contain residual customer or company data is certainly real. 

Of the global enterprise executives surveyed our study, 87% admitted to not sanitizing assets as soon as they reach end-of-life, while 31% reported taking more than a month to sanitize these devices. Only 13% reported immediately sanitizing assets once they reach end-of-life.

Delays increase the risk of equipment loss, theft and data breaches as well as insider threats. Another interesting finding is that sanitization takes the longest in Germany and Singapore, with well over 50% of companies taking more than a month to sanitize or destroy equipment. 

The bottom line: Organizations should immediately sanitize end-of-life equipment as part of their overarching data sanitization policy, preferably by embedding a process that integrates data sanitization of all end-of-life IT assets into existing remote asset management processes. This removes unnecessary risk during asset decommissioning. 

Data Point No. 3: Flexible workers are most likely to compromise company data policy.

The gig economy and remote work have become part of the business landscape in the U.S. and across the globe. Unfortunately, one-third of respondents at the global enterprises we surveyed believed that flexible workers were the least likely to comply with data sanitization policies, while 40% believed contractors or freelancers were the least likely to understand or comply with data sanitization policies. This number drops slightly (33%) for respondents in the U.S. and Canada. To ensure compliance with regional, national and global consumer data privacy regulations, organizations must have a consistent data management and sanitization policy that applies to all employees—whether they are contractors, seasonal workers or full-time employees, both remote and onsite.

Data Point No. 4: Senior management is not taking direct responsibility for IT asset erasure.

While perhaps hard to fathom, 22% of respondents said that employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Another 22% said the responsibility is with their line manager.

One key concern with this process is whether the exiting employees or line managers are fully aware of or trained on the company’s data sanitization policy. And if not, who is verifying the PC or laptop has been sanitized correctly and no personally identifiable information remains? Again, communication and training are critical to maintaining company-wide data sanitization policies.

Data Point No. 5: Outsourcing data sanitization comes with risks.

More than a third of our respondents (34%) are sanitizing PCs, laptops, servers and data center equipment offsite at end-of-life. Outsourcing isn’t inherently a bad thing, but it does pose some risks, especially if organizations lack visibility into the chain of custody of their IT assets and have no way to prove that the data wasn’t compromised during the transportation process. If an organization has a data sanitization policy that requires all data is to be destroyed beyond recovery at end-of-life, it also should have the ability to prove this has been accomplished during an internal or external audit. It’s the company’s responsibility to require a detailed audit trail for the entire chain of custody and certified erasure at end-of-life for these assets.

If you have a suggestion for an eWEEK Data Points article, email [email protected].