A recent study by Blancco, a global supplier of data erasure and diagnostics solutions, helping organizations securely remove data from IT assets and devices, among 1,850 large enterprises worldwide reveals a significant gap between data sanitization policies and their actual implementation. While 96% of organizations have a policy in place, only 44% feel that it is fully implemented and communicated across the company. Incomplete data sanitization policies create security risks, as sensitive data can fall into the wrong hands. Many organizations struggle due to insufficient employee training on secure data removal when devices reach the end of their lifecycle.
Responsibility is often unclear
The study shows that IT departments are usually responsible for managing end-of-life equipment, but this varies by region. In Japan, 54% of organizations assign this task to IT, while globally, the figure is below half. In many cases, departing employees or their managers (each 22%) are accountable, leading to inconsistencies.
Offsite sanitization increases risks
One-third (34%) of companies perform data sanitization offsite, introducing potential security issues. Lack of control over asset storage during transport and uncertainty about successful data removal are key concerns.
Delays in equipment processing
Only 13% of organizations sanitize devices immediately after their lifecycle ends. Meanwhile, 31% take more than a month, increasing the risk of data breaches due to unsecured storage.
Ownership and communication gaps
While 68% of respondents state that policy ownership is clearly defined, implementation roles are often scattered across functions. Additionally, 31% of organizations have not communicated their data sanitization policy internally, and 20% admit the policy is incomplete.
Policies are often outdated
Despite 89% of organizations having policies less than a year old, they may not cover all critical aspects, leaving gaps in security.
Best practices for better enforcement
Organizations should ensure that data sanitization policies cover all IT assets, including smartphones, tablets, PCs, servers, and virtual machines. Devices should be sanitized immediately after their lifecycle ends, ideally within 24 hours. Preventing the departure of sensitive data from company premises and obtaining tamper-proof destruction certificates is crucial. Regular training and policy communication, along with assigning clear responsibilities and conducting internal audits, will strengthen compliance. The "Guidelines for Media Sanitization" from NIST Special Publication 800.88 Rev. 1 can serve as a valuable reference.
Conclusion: bridging the policy-practice gap
The findings highlight the need for organizations to reassess their data sanitization policies to address security risks. Stronger communication, clearer ownership, and strict adherence to best practices are essential to closing the gap between policy and implementation.
Market
Trade-in
Repair
Refurbishing
