Organizations that claim to be compliant with GDPR, CCPA, and other regulations should consider looking at privacy laws with a closer eye. Even though many companies continue to improvise their data security plans, lack of data sanitization of devices is putting organizations at risk. Research by Blancco Technology Group in August 2019, observed that nearly 73% of surveyed people pointed out that end-of-life devices are a potential security risk.
The current misconceptions of decision-makers when selecting inadequate data sanitization methods have put companies at risk of a breach. The research also found that the self-assured attitude of organizations is leaving organizations vulnerable to cyberattacks.
Blancco Technology Group surveyed 1850 senior leaders representing the world’s largest enterprises in Europe, APAC, and North America. The study explicitly highlighted an incident where Blancco purchased 159 drives via eBay in the countries like U.S., U.K., Finland, and Germany. These sellers ensured the cleanliness of data from the devices. But unfortunately, that was not the case. Nearly 42% of the devices still contained data, of which 15% was personal information or corporate data. The data retrieved was –
- 5GB of archived office email of a leading travel company.
- 3GB of data belonging to a cargo or freight company with shipping details, schedules, and registrations.
- Scanned copies of family passports and birth certificates belonging to a software developer.
- CVs and financial records with a high level of government security clearance.
Finding the risks
The inefficient methods of data removal are serving as loopholes for data security. In a recent study, “A False Sense of Security,” it was identified that 36% reported relying on inappropriate data removal methods. The data was removed using free tools, methods like formatting, overwriting, or unauthorized insecure paid software-based tools.
Another risk lies in the storage of the data on these devices. 80% admit that there is a huge stock of out-of-use devices or scrap equipment lying in their storage. The data on these devices are left unattended because of the time factor involved in the sanitization of those devices. It almost takes nearly two weeks to remove all data and ensure its sanitization.
Lack of a transparent chain of custody is another risk involved with these end of life devices. It also includes taking them physically to a place where they are destroyed.
The significant risk of data sanitization comes from ignorance. There is a lack of awareness of security measures and reliable processes for device disposition. Usually, users stay in a false illusion that formatting a device is sufficient. Whereas, when it comes to an organizational level, the absence of the process of verification of data left on assets can lead to data breaches.
How to sanitize data on a device
- An audit trail with standard practice to verify the assets before disposition.
- Review of the current processes and policies to be followed by all the employees. The policies on a robust IT asset disposition process should be implemented vigorously without loopholes.
- Establishing integration into asset management solutions to automate process flow.
To sum up, updating policies and enforcing them strongly to implement best practices is the best approach towards data sanitization. It would help to be proactive and not wait until the asset destroys itself. End of life devices are potential threats to any organization, and they should be attained with high priority. Everyone using digital assets or devices should have a strong knowledge of the process to destroy different devices. Certified Secure Computer User (C|SCU) is a fundamental program by EC-Council that is meant for everyone who uses digital devices and connected to the internet. The program helps in understanding the best practices to stay secure and browse safely without risking your data.