The Inextricable Link Between Data Security and End-of-Life IT Equipment

eWEEK DATA POINTS ARTICLE: To meet retention requirements and data minimization best practices, enterprises must put effective policies and processes in place to securely manage what happens to data stored on any device at its end of life, as well as procedures to sanitize data through life.

eweek.logo.DataPoints-UPDATE

The accelerated development of data privacy regulations such as Europe’s GDPR (General Data Protection Regulation of 2018) and the CCPA (California Consumer Privacy Act), which took effect Jan. 1, along with the increase in widely reported data breaches and the resulting fines means that data privacy and security and regulatory compliance are high-profile issues for enterprises across the globe.

Growing concerns pushed organizations to invest 10.5% more in security in 2019 than in the previous year as they looked to protect the integrity of their data throughout its lifecycle. Gartner Research has placed data sanitization at the start of the upward “Slope of Enlightenment” in three of its reports: “Hype Cycle for Data Security, 2019”; “Hype Cycle for Privacy, 2019”; and “Hype Cycle for Endpoint Security, 2019.”

Go here to read eWEEK's Top Cloud Storage Companies list.

To meet retention requirements and data minimization best practices, enterprises must put effective policies and processes in place to securely manage what happens to data stored on any device at its end of life, as well as procedures to sanitize data through life. 

New research data from Blancco, based on survey responses from 1,850 senior decision makers in the U.S., Canada, Europe and the Asian Pacific region, reveals how global enterprises’ overconfidence is exposing the organizations to the risk of data breach during an era of heightened concerns over the potential for data breaches and failure to comply with data privacy laws and regulations.

Go here to see eWEEK’s listing of Top Data Storage Companies.

Go here to see eWEEK’s listing of Top Cloud Access Security Vendors.

In this eWEEK Data Points article, Fredrik Forslund, vice president of enterprise and cloud erasure at Blancco, offers the top five takeaways from the company’s new research and what they mean to global enterprises dealing with growing data volumes. He also cites challenges presented by technologies such as internet of things (IoT) devices and artificial intelligence (AI) that will accelerate data growth well into the future.

Data Point No. 1: Companies are hoarding end-of-life IT assets.

Eighty percent of U.S. and Canadian respondents reported having end-of-life devices stockpiled in their storage. This amounts to around 400,000 items, or an average of 272 devices per company. Survey respondents also admitted leaving devices unused for some time. In fact, 57% reported taking longer than two weeks to erase devices, adding to the risks of potential internal data breaches and lost data. Survey respondents claim 18% of devices are left “somewhere” within the company with no action, leaving many end-of-life devices neglected.

In research released earlier this year, “The High Cost of Cluttered Data Centers,” Blancco found that two in five organizations are spending more than $100,000 to store unused hardware that could pose significant security and/or compliance risks to their businesses. These are major security issues that enterprises should deal with immediately.

Data Point No. 2: Many global enterprises use inappropriate data removal methods.

The good news is only 4% of respondents are not sanitizing data at all. Another 36% reported using data wiping methods (formatting, overwriting using free software tools or paid software-based tools without certification) or physical destruction (both degaussing and shredding) with no audit trail. These methods are not fully secure and can leave businesses open to potential security and compliance issues. Many respondents (17%) also fail to maintain a clear chain of custody with an appropriate audit trail for end-of-life assets, including during transportation to an offsite destruction facility, while 31% admitted not capturing drive serial numbers. This lack of chain of custody controls means these enterprises are running the risk of data breaches and non-compliance.

Data Point No. 3: 34% of respondents believe drive reformatting will prevent data breaches.

Seemingly unaware that drive reformatting does not prevent access to data entirely, 34% of respondents still ranked drive reformatting as one of their top three options for providing the highest protection to a data breach. The research also revealed that 17% of global enterprises use physical shredding or degaussing for end-of-life devices, even though shredding does not always provide a true, certified audit trail that spans the full chain of custody lifecycle. While shredding and degaussing can be appropriate methods to sanitize data, it is critical to follow best-practice methods and maintain a full chain of custody for each device.

Data Point No. 4: SSDs pose special security risks.

Sanitizing end-of-life solid-state drives (SSDs) is considerably more complex than sanitizing other devices. SSDs, which are becoming almost as common as hard disk drives (HDDs) in corporate infrastructure, pose significantly greater security challenges and require special care to achieve true data sanitization. Unfortunately, more than one-third (33%) of enterprises in the U.S. and Canada do not have a different process for dealing with SSD drives compared with HDD drives. Therefore, they run the risk of not having all data appropriately sanitized and ending up non-compliant with industry standards.

Data Point No. 5: Organizations spend $1.7 million per year destroying equipment.

Half of companies surveyed believe that physical destruction is easier and quicker than other sanitization methods. Senior leadership who believe their companies are saving money with supposedly low-cost options, such as destruction, do not realize that they are in fact spending a great deal of time and money on these methods. This misconception fails to take into account the time that proper destruction takes.

On average, enterprises spend 32.3 hours per month destroying devices–-that’s one person spending 16 days every year destroying equipment. The average cost reported by respondents to destroy an item is $1,036, with each company spending just over $1.7 million per year to destroy devices. This doesn’t include the cost of the item itself. When included, the annual cost comes to just under $4 million per company.

Not only is the physical destruction of assets expensive and time-consuming, it has negative consequences for the environment. According to the Global E-waste Monitor 2017, the world generated 44.7 million metric tons of e-waste in 2016 and that number is expected to increase to 52.2 million metric tons by 2021.

As of now, only 20% of e-waste generated is collected and recycled; approximately 1.7 metric tons are thrown into dumps in higher-income countries annually and are likely to be incinerated or land-filled. Globally, only 8.9 metric tons of e-waste are documented to be collected and recycled. Companies can make a positive impact on curbing the growing e-waste problem by reselling and/or recycling old hardware.

One thing is clear: Failing to ensure that devices are clear of customer, commercial, employee and other sensitive data leaves businesses open to potential breaches and noncompliance–-both of which carry significant reputational and financial risks. 

If you have a suggestion for an eWEEK Data Points article, email [email protected].

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...