The earlier part highlighted ‘what data sanitization is and what different methods are used to perform data sanitization.’ But what is more important is to learn ‘Why do businesses need to undergo data sanitization!’
Why do businesses need to undergo data sanitization
Blancco Technology Group, a leading global mobile device diagnostics provider and secure data erasure solution, has published a report on the topic – data sanitization. Coleman Parks, a research firm, surveyed about 1,850 senior leaders at enterprises with 5,000+ employees in the US, Canada, UK, France, Japan, India, Singapore, Australia, and the Philippines.
It concluded that about 96% of businesses have already implemented the data sanitization policies while about 56% do not effectively communicate these policies company-wide regularly. This lack of communication on data sanitization policies and processes increases the chances of data breaches.
Fredrik Forslund, Vice President of Enterprise and Cloud Erasure, Blancco, has jotted down some important takeaways from the study. He also explained the significance of these findings for enterprises looking for compliance with data privacy laws and regulations. It aims to protect consumer privacy and give individuals more control over how their data is being used and stored.
Following lists the top five points from the study –
Delivery of data sanitization policies progressively depends on the policy owner’s experience and organizational structure
The study reveals that 68% of respondents believed that ownership of data sanitization policies is clearly communicated within their organizations, while 32% refrain from sharing their views.
The survey respondents state that executives who are responsible for policies vary from business to business. According to 18% of enterprises, it’s the data protection office (DPO), 18% pointed to the head of operations, while 17% said it’s the head of IT operations, and 11% said it’s the chief information security officer (CISO).
The policy ownership’s inconsistency can lead to varying levels of efficiency and effectiveness in communicating the policy across the organization, but the individual’s experience and the overall organizational structure are more relevant. Equally significant is the owner’s perception of the value of communicating data policies and the ability to carry them out.
Compromising on data company policies occurs more in flexible workers
The US and other countries worldwide are boosting the gig economy and remote work more to satisfy long-term goals for their businesses. One-third of the respondents at the global enterprises believed it’s the flexible workers who are least likely to comply with data sanitization policies.
At the same time, 40% of the audience thought that contractors or freelancers are those who least likely understand or comply with data sanitization policies. This number decreases slightly (33%) for the respondents in the US and Canada.
Organizations should impose consistent data management and sanitization policies on all the employees – full-time employees, contractors, or seasonal workers, both remote and onsite that will ensure compliance in regional, national, and global consumer data privacy regulations.
With outsourcing data sanitization comes risks
More than 34% (one-third) of the respondents sanitize their PCs, laptops, data centers, and servers equipment offsite. Essentially, outsourcing isn’t a bad thing, but it comes with calculated risks. It happens when organizations are not aware of their IT assets’ owners and cannot prove that data is not compromised during the transformation process.
A data sanitization policy that requires an organization to destroy all data beyond recovery must also be capable of proving that it is accomplished during an external or internal audit. The companies should take the whole and sole responsibility to obtain a detailed audit report of all the custody and certified erasure instances at end-of-life for these assets.
Senior management is not taking the onus for IT asset erasure
22% of the respondents believe that when an employee exits from any organization, it is his/her whole responsibility to manage and control their own end-of-life IT equipment. While the other 22% believed that it’s the line manager who is responsible for it.
The other key concern that comes into account is, are the existing employees or line managers have knowledge of or are trained about the company’s data sanitization policy. If not, who will take charge to check if the PC or laptop is sanitized correctly and no remains of personally identifiable information are left behind?
Here, communication and training play a major role in maintaining company-wide data sanitization policies.
Chances of insider threats and data breaches increases in companies due to unused equipment in storage areas
Verizon’s 2019 Data Breach Investigations Report reveals, in 2018, almost 34% of employees were responsible for data breaches. Another eye-raising 2018 Forrester survey indicated that 53% of data breaches come from the insider, where more than half of the instances were malicious.
Keeping old IT assets in storage is itself a threat, but the intensity of risk increases when the theft of unused equipment contains residual customer or company data.
According to the global enterprise executives’ study survey, 87% reported not sanitizing assets as soon as they reach end-of-life, and 31% reported taking more than a month to sanitize these devices. It is only 13% who believe that immediate sanitization of assets should be done once they reach end-of-life.
In case of delay, the risk of equipment loss, theft, and data breaches increases with the insider threat. In Germany and Singapore, data sanitization takes the longest, where 50% of companies take more than a month to sanitize or destroy equipment.
The bottom line
Organizations must take immediate steps to sanitize end-of-life equipment, considering it as a part of their overarching data sanitization policy. It is done preferably by embedding a process that integrates data sanitization of all end-of-life IT assets into existing remote asset management processes. This removes unnecessary risk during asset decommissioning.
Thus, different organizations use different methods to follow data sanitization policies. Following all the data sanitization rules will help organizations to stay safe and stronger in the long run.
For more information visit our latest whitepapers on security or data security.