News
Print Article

End-of-Life Devices Pose Data Breach Risk

26/11/2019

End-of-life devices not properly sanitized of data can cause compliance issues and make corporate data vulnerable

GDPR, CCPA and the rest of the alphabet soup of privacy laws should have organizations looking more deeply at how and where they store and use data. While most companies have improved their approach to data security in response to privacy laws, too many continue to ignore the data sanitization of devices at end of life, and this exposes the organization to data breaches. New research from Blancco Technology Group found that, globally, organizations’ overconfidence in their data sanitization methods makes them more vulnerable to a data breach, and nearly three-quarters of those surveyed point to the potential problems caused by end-of-life devices.

Data breaches at device end-of-life is a very big problem, said Fredrik Forslund, vice president, Enterprise and Cloud Erasure Solutions at Blancco, in an email interview. For example, a few months ago while researching how often sensitive data remains on pre-owned technology, Blancco purchased 159 drives from professional sellers using eBay in the U.S., UK, Germany and Finland. All of the drives were “guaranteed” by the sellers to be clean from data. That wasn’t the case, however: Almost half (42%) still contained data, with 15% of the information being PII and/or corporate data. Forslund said in that study they found:

  • A drive from a software developer with a high level of government security clearance, with scanned images of family passports and birth certificates, CVs and financial records.
  • 5GB of archived internal office email from a major travel company.
  • 3GB of data from a cargo/freight company, along with documents detailing shipping details, schedules and truck registrations.

Failing to make sure that devices are wiped clean of data sets up organizations for data breaches and violations of data privacy laws.

Where the Risks Are

According to the results in this most recent study, “A False Sense of Security,” 36% reported relying on inappropriate data removal methods—using data wiping methods such as formatting, overwriting using free software tools or paid software-based tools without certification or physical destruction (both degaussing and shredding) with no audit trail.

That is just one of the ways that organizations are risking their data, according to the report. Another risk is in the storage of these end-of-life devices. Eight in 10 said they have a stockpile of out-of-use equipment sitting in storage, and more than half admitted that it takes them more than two weeks to get around to data sanitization of those devices. Another area of risk is the lack of a clear chain of custody of the audit trail for these end-of-life devices, and that includes transporting them to a facility where they are physically destroyed.

The most common issue is a lack of awareness of what is a secure and reliable process for asset disposition, said Forslund. “Companies may do a format or use freeware and assume this is sufficient; however, not running a process where you can confirm that all assets have been processed results in having data left on assets and ultimately can lead to data breaches.”

He recommended using best practice standards and ensuring an audit trail to verify that all assets are covered. What does that look like? According to the report, it includes a review of the current processes and policies that are to be followed by all employees and building integration into asset management solutions to automate process flow, among other steps.

“It is also important to ensure that there are no delays or possible loopholes,” he added. “Often policies on how to run a strong IT asset disposition process and proper data sanitization are out of date or not properly implemented, which can be another factor that leads to poor outcomes.”

When asked what he sees as the biggest and most important takeaway of this study on the risks of data breaches in end-of-life devices, Forslund stressed those best practices policies.

“Update your policy, enforce that policy, and make sure implemented best practice is as automated and integrated into your asset management and data management as possible,” he said. “Do not wait until end of life of the asset to start thinking about what to do. Be proactive and always a step ahead!”

 

To read a original article please click here

General

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.