ty - stock.adobe.com
Businesses failing to wipe data from old endpoints
Organisations are not taking adequate precautions to sanitise data held on endpoints when refreshing their PC or mobile device estates
Business leaders are aware of the need to wipe enterprise data from old PC, notebook and mobile devices, but a third are taking considerable risks when it comes to data sanitisation, including relying on inappropriate tools, according to sector experts at Blancco Technology Group, a supplier of data erasure and device diagnostics services.
Its study, A false sense of security, which was conducted with assistance from Coleman Parkes Research, surveyed 1,850 enterprise leaders in Asia-Pacific, Europe and North America. While it found encouraging signs – in that 96% of those questioned had some kind of data sanitisation process in place – it also uncovered a number of misconceptions that are putting confidential data at risk during IT upgrades.
“Global enterprises are clearly concerned about data when devices reach end-of-life. However, despite knowing the risks involved, many still choose to use an inadequate approach to protect their organisation,” said Fredrik Forslund, vice-president of enterprise and cloud erasure at Blancco.
“This points to a huge and worrying knowledge gap within the sector and among senior leaders about the security and compliance implications of physical destruction and end-of-life equipment lying around,” he said.
The report revealed that 36% of IT leaders reported using data wiping methods such as reformatting, overwriting using free (KillDisk and DBAN, for example) or paid software-based tools without certification, or physical destruction of hard drives – both degaussing and shredding – without conducting a proper audit.
Such methods are not secure and can leave users open to security risks and compliance breaches of data protection regulations. Still more concerning, said Blancco, was that 4% said they were not sanitising data at all.
In contrast, 73% of respondents agreed that the large volume of different devices at end-of-life left them vulnerable to security issues, and 68% were very concerned about a breach occurring as a result of someone gaining access to end-of-life hardware. In the UK, 57% agreed they were vulnerable, and 57% were very concerned about breaches – the lowest percentage point from all of the countries surveyed.
Among other findings, Blancco reported that 80% of enterprises were sitting on a stockpile of old and out-of-use equipment – 85% in the UK – and over half took longer than a fortnight to erase devices.
It also found that 17% of enterprises did not have any kind of audit trail to guarantee chain of custody during any physical destruction processes, including while being transported to offsite reclamation facilities.
The report set out several examples of best practice that businesses can use to ensure their confidential data remains secure when devices are disposed of. These include:
- Ensuring policies are up-to-date and widely disseminated to all staff, not just IT;
- Minimising delays in dealing with old hardware to reduce the risk of it disappearing;
- Putting in place different processes for the physical destruction of solid-state and hard disk drive storage;
- Incorporating asset management solutions to automate data sanitisation processes;
- Paying particular attention to chain of custody of device management, including ensuring that any third-party providers have a certified data erasure process themselves.
Read more about endpoint security
- Researchers at Purdue University and the University of Iowa publish details of several 5G mobile network vulnerabilities.
- A vulnerability in Amazon’s Ring video doorbells left the internet of things devices open to a variety of attacks.
- Report warns that buyers are falling at the first hurdle on security by not including it in their endpoint RFPs and tenders.