End-of-life devices not properly sanitized of data can cause compliance issues and make corporate data vulnerable
GDPR, CCPA and the rest of the alphabet soup of privacy laws should have organizations looking more deeply at how and where they store and use data. While most companies have improved their approach to data security in response to privacy laws, too many continue to ignore the data sanitization of devices at end of life, and this exposes the organization to data breaches. New research from Blancco Technology Group found that, globally, organizations’ overconfidence in their data sanitization methods makes them more vulnerable to a data breach, and nearly three-quarters of those surveyed point to the potential problems caused by end-of-life devices.
Data breaches at device end-of-life is a very big problem, said Fredrik Forslund, vice president, Enterprise and Cloud Erasure Solutions at Blancco, in an email interview. For example, a few months ago while researching how often sensitive data remains on pre-owned technology, Blancco purchased 159 drives from professional sellers using eBay in the U.S., UK, Germany and Finland. All of the drives were “guaranteed” by the sellers to be clean from data. That wasn’t the case, however: Almost half (42%) still contained data, with 15% of the information being PII and/or corporate data. Forslund said in that study they found:
- A drive from a software developer with a high level of government security clearance, with scanned images of family passports and birth certificates, CVs and financial records.
- 5GB of archived internal office email from a major travel company.
- 3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules and truck registrations.
Failing to make sure that devices are wiped clean of data sets up organizations for data breaches and violations of data privacy laws.
Where the Risks Are
According to the results in this most recent study, “A False Sense of Security,” 36% reported relying on inappropriate data removal methods—using data wiping methods such as formatting, overwriting using free software tools or paid software-based tools without certification or physical destruction (both degaussing and shredding) with no audit trail.
That is just one of the ways that organizations are risking their data, according to the report. Another risk is in the storage of these end-of-life devices. Eight in 10 said they have a stockpile of out-of-use equipment sitting in storage, and more than half admitted that it takes them more than two weeks to get around to data sanitization of those devices. Another area of risk is the lack of a clear chain of custody of the audit trail for these end-of-life devices, and that includes transporting them to a facility where they are physically destroyed.
The most common issue is a lack of awareness of what is a secure and reliable process for asset disposition, said Forslund. “Companies may do a format or use freeware and assume this is sufficient; however, not running a process where you can confirm that all assets have been processed results in having data left on assets and ultimately can lead to data breaches.”
He recommended using best practice standards and ensuring an audit trail to verify that all assets are covered. What does that look like? According to the report, it includes a review of the current processes and policies that are to be followed by all employees and building integration into asset management solutions to automate process flow, among other steps.
“It is also important to ensure that there are no delays or possible loopholes,” he added. “Often policies on how to run a strong IT asset disposition process and proper data sanitization are out of date or not properly implemented, which can be another factor that leads to poor outcomes.”
When asked what he sees as the biggest and most important takeaway of this study on the risks of data breaches in end-of-life devices, Forslund stressed those best practices policies.
“Update your policy, enforce that policy, and make sure implemented best practice is as automated and integrated into your asset management and data management as possible,” he said. “Do not wait until end of life of the asset to start thinking about what to do. Be proactive and always a step ahead!”