Poor data sanitization practices put public sector data at risk
A research launched by Blancco Technology Group reveals current practices and policies for device sanitization within the public sector.
Researchers spoke to 596 government IT leaders across nine countries. The survey revealed that the governments and public sector organizations represented spend as much as $17M annually on the physical destruction of solid-state drives (SSDs), a data storage device widely used both independently and within laptops, desktops, and servers.
Additionally, replacement costs added another $40M, bringing expenses up to $57M for destroying public sector technology that is often still usable. For 70 organizations surveyed in each country, the costs for SSD destruction and replacement reached between $6.9M and $7.3M for the U.S. and between $6.4M and $6.9M for the U.K.
Environmental costs
With global electronic (e-waste) called the “world’s fastest growing domestic waste stream,” the study also explores the environmental costs of physical destruction and the public sector’s current engagement with sustainable alternatives. Unnecessary destruction increases IT operations and materials costs for fiscally constrained public sector organizations. It also fosters increased e-waste creation during a global call for more prudent environmental stewardship.
Despite 54% of respondents agreeing that reuse of SSDs is better for the environment than physical destruction and 93% of respondents saying their organization had defined plans to reduce the environmental impact caused by destroying IT equipment, 21% are actively implementing those plans.
Security concerns
For security reasons, physical destruction is still mandated if decommissioned drives were used to store classified or secret data. For unclassified data-bearing assets, other data sanitization solutions are available.
On the whole, respondents were well informed of their country’s or region’s respective data protection laws. However, some respondents’ processes for carrying out compliant SSD sanitization are concerning. For example, 78% of respondents globally said they reformat drives to sanitize them. Unfortunately, formatting alone can still leave drives vulnerable during transport or storage, and much of the data can be recovered with forensics tools easily available online.
“Governments and public sector organizations are responsible for handling some of the most sensitive information in the world. But several factors, including accelerated digital transformation, rising numbers of public sector data breaches and global sustainability initiatives, are changing the data management landscape,” said Alan Bentley, President of Global Strategy, Blancco.
“With growing environmental and funding pressures, there is a need for these public sector operations to be more sustainable and efficient while maintaining robust security. Public sector organizations must explore SSD sanitization alternatives to demonstrate prudent use of agency funds and a greater contribution to national and international sustainability efforts.”
“We’ve seen several public sector departments benefit from moving away from destroying data bearing assets to reusing them or building up the circular economy. Our study highlights that there are significant opportunities for policy reform surrounding SSD data protection as national policymakers seek to steward financial, environmental, and data resources entrusted to their care,” added Bentley.
As the report concludes, governments and public sector organizations are committing to sustainability improvements, but very few have pushed forward with their implementation. This is resulting in a high cost of SSD destruction and replacement.
With governments and public sector organizations under the spotlight when it comes to spending, it is increasingly urgent that they consider sustainable alternatives that extend device life, maintain lock-tight data security on end-of-life SSDs and, ultimately, save public services millions of dollars.
Device sanitization trends in the public sector
- 41% of respondents say physical destruction is mandated by law to physically destroy SSDs that contain classified data, so they destroy all SSDs “just in case.”
- 22% are unaware of alternative methods of sanitization.
- Between 23% to 52% of organizations within a country believed that physical destruction was cheaper than other sanitization solutions, including those that would facilitate reuse and longer device life.
- 35% believe there is no certified or approved vendor or solution that provides another option for them.
- Between 37% and 45% of our respondents’ devices, or the drives alone, are sent offsite for physical destruction.
- 37% of respondents are “aware of only” the NIST SP 800-88 r1 and do not know guideline details.