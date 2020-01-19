advertisement

Q1. Deleting data is not a priority when it comes to hygiene factors for corporate security. Why is that only now becoming a topic of discussion?

Data security for businesses is not a new priority, but deleting data has become more important for C-level executives worldwide. After the introduction of data protection regulations such as the GDPR and the CCPA, companies have made a joint effort to streamline data management processes to ensure compliance. In addition, the risk of data breaches increased with the increase in the attack surface, which was stimulated by the data boom.

One of the key factors in complying with data protection regulations is managing data across an entire lifecycle of IT resources, from purchase to end of life. Instead of tracking the data on old and redundant IT assets and, above all, wasting up to hundreds of thousands of pounds without reselling or recycling these devices – most have been deleted. The deletion of data has appeared on the agenda of the C-Suite because it is safe and inexpensive and guarantees the complete and irreversible removal of data.

Q2. Why should companies care about old and redundant IT resources?

The volume of data processed and stored by companies has grown exponentially in recent decades and will only increase. Although many data stores migrate to the cloud, most companies still store sensitive, business-critical data on site. Organizations should take care of their decommissioned IT resources because they pose potential security threats, can increase e-waste, and can save money if handled appropriately.

Unfortunately, it is all too common for companies to store old IT equipment instead of deleting the data stored on it and processing it for resale on the secondary market. And stockpiling is an incredibly expensive option. A survey of 600 data center experts in Europe, North America and the Asia-Pacific region found that two out of five global companies waste more than $ 100,000 annually on outdated IT equipment.

The data on these assets is also insecure, since the possibility of a violation always remains until it has been properly cleaned up. It is also critical that companies create an audit trail for all IT assets from purchase to end of life, as there is a significant risk of violation if the devices are lost and are no longer considered.

In fact, in our most recent study, A False Sense of Security, we found that three-quarters of senior executives at the world’s largest companies believe that the company is vulnerable to data breaches due to the large number of different devices at the end of its life , Nevertheless, 80 percent of the companies stated that they had a stock of devices that were no longer used. It was even more shocking to find that a third of the companies we surveyed still used inadequate data cleansing methods to prevent data breaches on IT devices that were no longer used.

Q3. What are inadequate data cleansing methods and why are so many companies still using them?

Inadequate data cleansing essentially means any method with which the complete and irreversible removal of data cannot be guaranteed. This primarily includes data deletion methods such as formatting, overwriting with free or paid software-based tools without certification or physical destruction without an audit trail. These methods are not completely secure and can expose companies to potential security and compliance problems. It is therefore surprising that 36 percent of companies are still using one or more of these methods. Of particular concern is the fact that four percent of companies do not clean any data at all, exposing them to attacks and compliance errors.

It is simply bad practice not to maintain a clear retention chain with an appropriate audit trail for end-of-life equipment, even while it is being transported to an off-site facility, and 17 percent of the companies have been found guilty. The reason why so many companies continue to use inappropriate methods is mainly due to misconceptions by the population and misguided trust in existing methods. When asked why their company is physically destroying malfunctioning hardware or legacy devices, 52 percent of key decision-makers said that this is safer than other data cleansing methods. This is a mistake with old devices, as they may not guarantee complete data cleansing, especially with SSDs (which require shred sizes of only 2 millimeters).

It’s also a common misconception that physical destruction is cheaper, faster, and easier than other data cleansing methods, and half of the companies believe that it is. It’s just wrong. Many of these assumptions do not take into account the time required for proper destruction.

Q4. What does the rise in SSD popularity for business and data cleansing mean?

SSDs are used more and more often than hard drives in the entire corporate infrastructure. The increasing popularity of SSDs is due to their higher storage capacity, lower and faster read / write rates, support for more IOPS and lower power consumption. However, there are significantly larger security challenges that need to be addressed to ensure that SSDs are processed properly to achieve data cleansing.

SSDs can be used alone in a device such as a laptop. However, they are increasingly used in conjunction with HDDs, which leads to confusion about how to erase data. Demagnetization is not an effective disinfection method for most flash-based storage devices, including SSDs. Likewise, SSDs are not completely destroyed by standard hard disk shredders, so that there is the possibility of restoring data. Nevertheless, we have determined that a fifth of all companies have no other processes for handling SSDs than HDDs. This is cause for concern, as typical HDD document shredders only shred to approx. 6 mm, which is not sufficient to completely disinfect SSDs.

Q5. What is a best practice for data cleansing?

There are several aspects that are important to achieve best practices for data cleansing. First and foremost, it’s important that a company’s data cleansing policies are up to date and communicated across the organization. Too often we see companies implementing new practices but not communicating them across the company. Best practices include integrating data cleansing into your asset management process to ensure that all assets that have been reassigned or have reached the end of their life are removed and deleted immediately. This is essential because delays in deleting data only increase potential liability and risk. This also increases operational efficiency if you can automate the data cleansing process in addition to your existing processes.

If physical destruction is part of company policy, the company should ensure that different processes for hard drives and SSDs are followed, with special attention to shredder standards. Organizations should also strive to improve management and awareness of legacy equipment to avoid stockpiling and reduce internal security threats. Finally, a crucial hygiene factor for every company is to ensure a clear monitoring chain for device management or the test path, including a certified data deletion process.

Fredrik Forslund, VP Enterprise & Cloud Erasure Solutions, Blancco

