Austin – London: Data sanitization policies, according to a new research are not sufficiently defined and implementation in more than 50% of largest enterprises in the world.
Blancco Technology Group explores the risks that some of the world’s largest enterprises are taking when creating, executing or communicating their data policies.
Blancco’s study, Data Sanitization: Policy vs. Reality, produced in partnership with Coleman Parkes, reveals why these policies are not sufficiently defined and implemented to ensure the full data sanitization of their IT assets, throughout their entire lifecycle.
Although 96% of the 1,850 senior leaders within these organizations have a data sanitization policy in place, 31% have yet to communicate it across the business. 20% of respondents don’t believe their organization’s policies are finished being defined.
Over half of organizations (56%) in all do not have a data sanitization policy in place that’s being effectively communicated across the full company on a regular basis. This is increasing the risks of potential data breaches.
Further discrepancies between data sanitisation policy and execution within these organizations include:
· Not taking direct responsibility for IT asset erasure – 22% of employees are responsible for the management and control of their own end-of-life IT equipment when they leave the organization. Another 22% place this responsibility with their line manager. If data sanitization policies haven’t been communicated to either party effectively, the chances of sensitive information being leaked as a consequence of insufficient erasure increase dramatically.
· Leaving equipment languishing in storage areas – 87% of global enterprises admitted not sanitizing assets as soon as they reach end-of-life, while 31% reported taking more than a month to sanitize these devices. This puts companies at risk of equipment loss, theft, and data breaches.
· Performing offsite erasure – 34% of enterprise organizations are sanitizing PCs and laptops offsite at end-of-life. Working with a third-party provider to sanitize equipment offsite isn’t necessarily a bad thing, but it does present certain risks, particularly if organizations don’t have complete visibility into the chain of custody for their IT assets and have no way to prove that the data on their assets wasn’t compromised during the transportation process. Any external contractor needs to provide detailed audit trails for the entire chain of custody and certified erasure at end-of-life for these assets.
·Lacking clear ownership of data sanitization policies – although 68% of respondents felt that ownership of data sanitization policies is clearly communicated within their organization, when asked who was responsible for their implementation, 18 percent of enterprises stated the Data Protection Officer (DPO), 18% – Head of Operations, 17% – Head of IT Operations and 11% – Chief Information Security Officer (CISO). This lack of clear ownership could suggest enterprises consider data sanitization to be a “‘checkmark”’ exercise that must be done to satisfy compliance or operational requirements and that they are not taking data risks seriously.
“The lack of robust data sanitization policies across global enterprises is alarming,” said Fredrik Forslund, VP – Enterprise and Cloud Erasure Solutions, Blancco.
“If they fail to formulate and communicate these policies effectively, at every stage of the data lifecycle, they risk putting significant amounts of potentially sensitive data at risk. It is vital they put processes in place, with clear ownership, and auditability for control, assigned to their senior leadership team to mitigate these risks,” added Forslund.
Other key global findings include:
· A third of the enterprises surveyed also felt that flexible workers were the least likely to comply with data sanitization policies, while 40% believed contractors or freelancers were the least likely to understand or comply with their data sanitization policy.
· There is not only a lack of clear ownership around the implementation of data sanitization policies but also a lack of accountability regarding how enterprises are complying with them.
The responsibility is spread across different job roles including the Head of Compliance (30%), Head of IT Operations (15%), Head of Operations (14%), Head of Legal (11%) and DPO (9%), leaving enterprises open to compliance breakdown and fines.