Data Sanitization: Policy vs. Reality – a research summary

The Coleman Parkes Research has surveyed 1,850 senior decision-makers from enterprises across the world including those located in Australia.

This report found that while the majority (96%) have a data sanitization policy in place, there is a large gap between policy and reality.

According to leading research and advisory body Gartner, “data sanitization is the disciplined process of deliberately, permanently, and irreversibly removing or destroying data stored on a memory device to make it unrecoverable.” This best practice method of data removal ensures organizations do not expose themselves to unnecessary risk.

About the report

The research was undertaken by independent research company Coleman Parkes Research in August 2019.

survey sector and demographic scope

Here is a quick summary of questions and findings:

1) Do you have a data sanitization (e.g. physical destruction, overwriting, formatting a drive…) policy in place in your organization?

Survey question1 - data sanitization
Survey shows that 96% of organizations have a data sanitization policy defined. However, only 44% of those respondents feel that their organization’s data sanitization policy is fully in place and has been communicated across the entire business.
As you can see Australia comes third with 52% of businesses answering ‘Yes, we currently have a data sanitization policy in place communicated across the business’, right after India with 77% and U.S./Canada with 62%.

2) Which of the below groups are the least likely to comply with data sanitization policies?

survey image 2 - graph of groups
A third of enterprises (31%) surveyed felt flexible workers were the least likely to comply with data sanitization policies, while 40% believed contractors or freelancers were the least likely to
understand or comply with their data security policy.

3) Who is responsible for managing and controlling end-of-life equipment as part of your data sanitization policy?

survey image 3 - graph or responsible for managing
From the survey responses, we see that often, an organization’s IT team handles end-of-life asset decommissioning. Enterprises in Japan lead in this area, with 54% of organizations stating their IT team completely manages the end-of-life data sanitization process. Meanwhile, respondents in Australia said their IT team only handles such situations 36% of the time. Globally, the results show fewer than half of organizations rely on their IT teams to manage IT equipment at end-of-life.

4) Where do you primarily perform the erasure/destruction of end-of-life equipment?survey image 4 - where they perform erasure / destruction of end-of-life equipment

34% of enterprise organizations are sanitizing PCs and laptops offsite at end-of-life.
Overall, we saw similar numbers for servers and other data center equipment, with 34% sanitizing equipment offsite. India was the largest outlier, keeping most of its data center equipment onsite during the sanitization process (73%).

Working with a third-party provider to sanitize equipment offsite isn’t necessarily a bad thing, but it does present certain risks. For example, organizations without complete visibility into the chain of custody for their IT assets have no way to prove that the data on their assets wasn’t compromised during the transportation process.

Note that TGR offers onsite as well as offsite data destruction service.

5) How soon do you erase end-of-life equipment?survey image 5 - 5) How soon do you erase end-of-life equipment?

According to our survey results, only 13% of global enterprises are “immediately” sanitizing assets once they reach end-of-life, while 31% take over a month to sanitize their devices. Sanitization takes the longest in Germany and Singapore, with well over 50% of companies taking more than a month to wipe or destroy equipment, putting their companies at risk of equipment loss or theft, and ultimately, a data breach.

Most companies in Australia take 1-3 months while only 10% of them erase data immediately.

The best way to successfully embed this process is to integrate data sanitization of all end-of-life IT assets into existing remote asset management processes.

6) Within your organisation, who is responsible for implementing data sanitization policy?

survey image 6 - 6) Within your organisation, who is responsible for implementing data sanitization policy?
There’s also a lack of ownership regarding how enterprises are complying with their data sanitization policies. The responsibility is spread across different job roles including the Head of Compliance (30%), Head of IT Operations (15%), Head of Operations (14%), Head of Legal (11%) and
DPO (9%). While different organizations will have different individuals overseeing these responsibilities, it’s important that someone takes the lead and clearly communicates data sanitization roles and responsibilities across the full organization.

In Australia, the most likely role to look after the implementation of DS policy is Head of IT Operations (19%), DPO (18), followed with Head of Operations (15%).

A whopping 89 %of respondents reported having a data sanitization policy that is fewer than 12 months old, meaning there may not have been enough time for the policy to be fully enacted
and communicated across the organization.

7 Key Data Sanitization Best Practices:

7 Key Data Sanitization Best Practices:

If you have any questions regarding data sanitization or data destruction, please contact our experienced team or comment below.

Source:
Research Study: Data Sanitization: Policy vs. Reality (PDF, 1.2 MB) or from the official Blancco website here.