Q1. Data erasure has not been a top priority when it comes to enterprise security hygiene factors. Why is this only now becoming a topic for discussion?
Data security for enterprises is not a new priority, but data erasure specifically has been rising in importance to C-level executives globally. Following the introduction of data protection regulations like the GDPR and CCPA, enterprises have made a collective effort to tighten up data management processes in order to achieve compliance. Additionally, the threat of data breaches has grown alongside the increase of the attack surface, which has been stimulated by the data boom.
One of the key factors to ensuring compliance with data protection regulations is management of data through an IT asset lifecycle, from purchase through to end-of-life. Rather than tracking the data on old and redundant IT assets, and more importantly waste up to hundreds of thousands of pounds storing this equipment without re-selling or recycling it – most turned to erasure. Data erasure has risen on the C-suite agenda as it is secure, cost effective and guarantees the complete and irreversible removal of data.
Q2. Why should enterprises care about old and redundant IT assets?
The sheer volume of data dealt with and stored by enterprises has grown exponentially over the last few decades and is only set to increase. Although many are migrating data storage to the cloud, most enterprises still store some form of sensitive, mission critical data on-premise. Organisations should care about their decommissioned IT assets because they pose potential security threats, contribute to growing levels of e-waste and can save them money if appropriately dealt with.
Unfortunately, we’re seeing all too common a practice whereby organisations are stockpiling old IT equipment, rather than erasing the data stored on them and processing them for resale on the secondary market. And stockpiling is an incredibly expensive option. A survey of 600 data center experts spanning Europe, North America and Asia Pacific found two-in-five global firms waste over $100,000 per year hoarding outdated IT equipment.
The data on these assets is also unsecure, because until it has been sanitised appropriately, there will always remain the possibility of a breach. It’s also crucial that organisations keep an audit trail of all IT assets from purchase right through to end-of-life as there is significant risk of a breach should the equipment become lost and unaccounted for.
In fact, in our most recent study A False Sense of Security we revealed that three quarters of senior leaders from the world’s largest enterprises agreed that the large volumes of different devices at end-of-life leaves their company vulnerable to a data security breach. Despite this, 80 per cent of enterprises admitted having a stockpile of out-of-use equipment sitting in storage. Even more shocking was the finding that a third of the enterprises we surveyed were still using inadequate data sanitisation methods to prevent data breaches on out-of-use IT equipment.
Q3. What are inadequate data sanitisation methods and why do so many enterprises still use them?
Inadequate data sanitisation essentially means any method that cannot guarantee the complete and irreversible removal of data. Primarily this includes, but is not limited to, data wiping methods such as formatting, overwriting using free or paid software-based tools without certification or physical destruction without an audit trail. These methods are not fully secure and can leave businesses open to potential security and compliance issues, so it is surprising that we found 36 per cent of enterprises still using one or more of these methods. A particular concern is that four per cent of enterprises are not sanitising data at all, leaving them wide open to attacks and compliance failure.
Failing to maintain a clear chain of custody with an appropriate audit trail for end-of-life assets, including during transportation to an offsite destruction facility, is simply bad practice and something 17 per cent of enterprises were found guilty of. The reason so many organisations continue to employ inappropriate methods is largely due to popular misconceptions and misplaced trust in existing methods. When asked why their company physically destroys unfunctional hardware or end-of-life equipment, 52 per cent of key decision makers stated that they believed it to be more secure than other data sanitisation methods. In the case of end-of-life devices, this is a misconception as it may not guarantee complete data sanitisation, especially for SSDs (which require shred sizes as small as 2 millimetres).
It’s a common misconception as well that physical destruction is cheaper, quicker and easier than other data sanitisation methods, with half of companies believing this to be the case. It’s simply untrue. A lot of these assumptions fail to account for the time that proper destruction takes.
Q4. What does the rise in popularity of SSDs mean for enterprises and data sanitisation?
SSDs are fast becoming almost as common as Hard Disk Drives (HDDs) in the overall corporate infrastructure. The rising popularity of SSDs has been driven by their increased storage capacity, lower and faster read/write rates, support for more IOPS and lower power usage. However, there are significantly greater security challenges that need to be addressed to ensure SSDs are correctly processed to achieve data sanitisation.
SSDs can be used on their own in a device such as a laptop, but increasingly they are used alongside HDDs which leads to confusion around how to address data erasure. Degaussing is not an effective sanitisation method on most flash-based memory devices, including SSDs. Equally, SSDs are not fully destroyed by standard hard disk drive shredders, leaving the possibility for data to be recovered. Despite this we found that a fifth of all enterprises do not have different processes for dealing with SSDs compared to HDDs, which is cause for concern given that typical HDD shredders will only shred to around 6mm, not enough to fully guarantee sanitisation of SSDs.
Q5. What constitutes data sanitisation best practice?
There are several facets that are important in achieving data sanitisation best practices. It is essential, first and foremost, that an organisation’s data sanitisation policies are up-to-date and communicated across the enterprise. Too often we see enterprises implement new practices but fail to communicate them on a companywide level. Equally, best practice must include the integration of data sanitisation into your asset management process, ensuring remote and immediate erasure of any asset that is reassigned or has reached end-of-life is done with full audit trail according to policy. This is essential as any delays in executing data erasure only increases the potential liability and risk. It will also add operational efficiency if you can automate the data sanitisation process on top of your existing processes.
Equally, if physical destruction is part of an enterprise’s policy, that enterprise should ensure different processes are followed for HDDs and SSDs, paying particular attention to shredding standards. Organisations should also look at improving the management and awareness of end-of-life devices to avoid stockpiling and reducing internal security threats. And finally, a critical hygiene factor for any enterprise is to ensure there is a clear chain of custody of device management or audit trail, including a certified data erasure process.
Fredrik Forslund, VP Enterprise & Cloud Erasure Solutions, Blancco