More Than Half of WW Largest Enterprises Fail to Communicate Data Sanitization Policies Internally, Said Blancco
Discrepancies between data sanitization policy creation and execution putting sensitive data at risk
This is a Press Release edited by StorageNewsletter.com on February 14, 2020 at 2:05 pmResearch launched by Blancco Technology Group explores the risks that some of the world’s largest enterprises are taking when creating, executing or communicating their data policies.
In particular, the study, Data Sanitization: Policy vs. Reality, produced in partnership with Coleman Parkes Research Ltd, reveals why these policies are not sufficiently defined and implemented to ensure the full data sanitization of their IT assets, throughout their entire lifecycle.
Although 96% of the 1,850 senior leaders within these organizations have a data sanitization policy in place, 31% have yet to communicate it across the business. 20% of respondents also don’t believe their organization’s policies are finished being defined. Overall, over half of organizations (56%) do not have a data sanitization policy in place that’s being effectively communicated across the full company on a regular basis. This is increasing the risks of potential data breaches.
Click to enlarge
Further discrepancies between data sanitization policy and execution
within these organizations include:
• Not taking direct responsibility for IT asset erasure – 22% of employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Another 22% place this responsibility with their line manager. If data sanitization policies haven’t been communicated to either party effectively, the chances of sensitive information being leaked as a consequence of insufficient erasure increase dramatically.
• Leaving equipment languishing in storage areas – 87% of global enterprises admitted not sanitizing assets as soon as they reach end-of-life, while 31% reported taking more than a month to sanitize these devices. This puts companies at risk of equipment loss, theft, and data breaches.
• Performing offsite erasure – 34% of enterprise organizations are sanitizing PCs and laptops offsite at end-of-life. Working with a third-party provider to sanitize equipment offsite isn’t necessarily a bad thing, but it does present certain risks, particularly if organizations don’t have complete visibility into the chain of custody for their IT assets and have no way to prove that the data on their assets wasn’t compromised during the transportation process. Any external contractor needs to provide detailed audit trails for the entire chain of custody and certified erasure at end-of-life for these assets.
• Lacking clear ownership of data sanitization policies – although 68% of respondents felt that ownership of data sanitization policies is clearly communicated within their organization, when asked who was responsible for their implementation, 18% of enterprises stated the data protection officer (DPO), 18% the head of operations, 17% the head of IT operations and 11% the chief information security officer (CISO). This lack of clear ownership could suggest enterprises consider data sanitization to be a “‘checkmark”‘ exercise that must be done to satisfy compliance or operational requirements and that they are not taking data risks seriously.
“The lack of robust data sanitization policies across global enterprises is alarming,” said Fredrik Forslund, VP, enterprise and cloud erasure solutions, Blancco. “If they fail to formulate and communicate these policies effectively, at every stage of the data lifecycle, they risk putting significant amounts of potentially sensitive data at risk. It is vital they put processes in place, with clear ownership, and auditability for control, assigned to their senior leadership team to mitigate these risks.”
Other key global findings include:
• A third of the enterprises surveyed also felt that flexible workers were the least likely to comply with data sanitization policies, while 40% believed contractors or freelancers were the least likely to understand or comply with their data sanitization policy.
• There is not only a lack of clear ownership around the implementation of data sanitization policies but also a lack of accountability regarding how enterprises are complying with them. The responsibility is spread across different job roles including the head of compliance (30%), head of IT operations (15%), head of operations (14%), head of legal (11%) and DPO (9%), leaving enterprises open to compliance breakdown and fines.
Key US and Canada findings include
• 33% of respondents believe that flexible workers, who work at home or remotely, are the least likely to comply with data sanitization policies – implying that they may pose a security risk.
• 32% of employees in enterprises are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. 19% place this responsibility with their line manager.
• More than a third (32%) of enterprises also stated that they are placing their head of compliance in charge of complying with their data sanitization policies which is encouraging. However, only 9% are giving this responsibility to their DPO.
Key UK findings include:
• Despite 97% of companies having a data sanitization policy in place, more than a third (37%) have yet to communicate it across the business. Overall, nearly half of companies (42%) do not have a data sanitization policy in place that’s being effectively and regularly communicated across the organization.
• 20% of employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. 35% place this responsibility with their line manager.
• Worryingly, 58% of enterprises also reported not being aware of when their organization’s IT security policy was last updated and 56% aren’t clear about what it contains, the highest percentage points from all the countries surveyed.
This report is the second in a 3-part series of reports. The first one, A False Sense of Security, found that 36% of enterprises were taking significant risks with their end-of-life sanitization methods and processes (or lack thereof). It can be found here (registration required).