Compliance: Vulnerabilities in data deletion

Data deletion vulnerabilities are omnipresent. For example, when Donald Trump no longer needs a document, he tears it up and throws it in the trash. Afterwards, an entire department is busy gluing the torn papers back together. For Trump is subject to the Presidential Records Act of 1978, which stipulates that all documents with which he had to deal must be kept. Otherwise, he is liable to prosecution. At least that's what the North American newspaper reported Politico.

However, just as important as archiving requirements for data is its proper deletion. A study published by Blancco Technology Group reveals the most common misconceptions decision makers have about data erasure. The results are inadequate data erasure procedures and unnecessary security risks. The study, A False Sense of Security, conducted by Blancco in collaboration with Coleman Parkes, highlights how corporate overconfidence is jeopardizing data security at a time when sound data management should be a top priority.

More than three-quarters (77 percent) of respondents agreed that the large number of different end-of-life devices poses a data security risk to their organization, and 74 percent said they are concerned about the risk of data breaches related to legacy devices.

The study, which surveyed 1,850 decision makers from the world's largest companies in North America, APAC and Europe - including 259 decision makers in Germany - shows that the end-of-life data erasure processes used for IT devices pose significant security risks in one in three companies in Germany. Causes of these risks include:

• Use of inadequate data removal procedures-32 percent of organizations reported using methods such as formatting, overwriting using free or paid software tools without proper certification, or physical destruction (both demagnetization and shredding) without an audit trail. These methods do not provide complete security. This means that organizations face a potential residual risk of security breaches and compliance violations.
• The hoarding of discarded storage devices in large quantities and the lack of a clear concept for dealing with these devices appropriately within a fixed time window - 78 percent of companies in Germany admitted to storing discarded devices en masse. This is the highest proportion of all countries in which the survey was conducted. Only 11 percent of the companies surveyed said they delete data media immediately after decommissioning. In contrast, 74 percent said they take more than two weeks to do so, which increases the risk of data breaches and data loss in the company.
• The lack of a clear chain of custody with a corresponding audit trail for IT devices that have reached their end of life, including evidentiary documentation of transport to an off-site facility where the devices are destroyed - one-fifth (20 percent) of companies in Germany reported not having an audit trail for physical destruction, and 32 percent admitted to not recording the serial numbers of hard drives. These deficiencies in chain-of-custody put the companies in question at high risk for data breaches and compliance violations.

In addition, the study shows that 20 percent of companies in Germany rely on physical destruction when disposing of their old equipment by demagnetizing it or having it shredded in a shredder. However, shredding in particular does not always provide a certified audit trail for the entire chain of custody.

Other key findings on companies:

• One fifth (20 percent) of companies in Germany do not differentiate between SSDs and HDDs when erasing hard disks, but use one and the same process for this purpose. This carries the risk that the data media are not completely purged of all data and that not all industry standards for deleting data are adhered to.
• In addition, the companies surveyed stated that 20 percent of their IT devices are simply kept in the company without deleting the data on them. This reveals a serious security gap that should be closed immediately.

Key findings at the international level:

• Many of the companies surveyed worldwide use a variety of different methods to remove data. A total of 17 percent use physical destruction (both degaussing and shredding), 13 percent use cryptographic erasure/encryption, 12 percent use formatting, 8 percent use free overwriting software, and 7 percent use paid overwriting software but lack appropriate data erasure certification. Of particular concern, however, is that 4 percent use no data erasure process at all.
• A disturbingly high 80 percent of companies surveyed worldwide admitted to hoarding masses of discarded devices in the enterprise. What's more, many companies are letting these devices sit unused for a while. Only 13 percent of companies said they wipe the disks immediately after they are decommissioned, whereas 57 percent said they take more than two weeks to do so. This increases the risk of data breaches and data loss in companies.
• Nearly three-quarters (73 percent) of respondents agreed that the sheer abundance of disparate devices makes them vulnerable to data breaches when asked about their biggest security concerns related to end-of-life devices. In addition, 68 percent said they were very concerned about the risk of a potential data breach due to data on legacy devices.

The full report, "A False Sense of Security," and an in-depth analysis can be found here: http://www.blancco.com/false-security