Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/19/2019
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Research: A third of the world's largest enterprises use inadequate data sanitization to prevent data breaches at end-of-life

Gaps in data sanitization knowledge and policies mean global enterprises are putting their organizations at risk of security and compliance breakdowns

AUSTIN and LONDON -- November 19, 2019—New research launched today by Blancco Technology Group (LON: BLTG), the industry standard in data erasure and mobile device diagnostics, outlines the current misconceptions that prompt so many decision makers to mistakenly choose inadequate data sanitization methods and put their organizations at risk. Blancco’s study, A False Sense of Security, produced in partnership with Coleman Parks, highlights how global enterprises’ overconfidence is exposing the organizations to the risk of data breach, at a time when proper data management should be at the forefront of everything they do. Three quarters (73 percent) agreed that the large volume of different devices at end-of-life leaves their company vulnerable to a data security breach, while 68 percent said they were very concerned about the risk of data breach related to end-of-life equipment. 

This survey of 1,850 senior leaders from the world’s largest enterprises in APAC, Europe and North America reveals that more than one in three organizations take considerable risks with the way they sanitize data at end-of-life. These risks include:

·       Using inappropriate data removal methods – 36 percent reported using data wiping methods such as formatting, overwriting using free software tools or paid software-based tools without certification or physical destruction (both degaussing and shredding) with no audit trail. These methods are not fully secure and can leave businesses open to potential security and compliance issues. But what’s of particular concern is that 4 percent of these enterprises are not sanitizing data at all, leaving them wide open to attacks.

·       Keeping large stockpiles of out-of-use equipment within the company and not dealing with them within a suitable time frame – 80 percent of enterprises admitted having a stockpile of out-of-use equipment sitting in storage and 57 percent  reported taking longer than two weeks to erase devices, adding to the risks of potential internal data breaches and lost data. 

·       Failing to maintain a clear chain of custody with an appropriate audit trail for end-of-life assets, including during transportation to an offsite destruction facility – 17 percent of enterprises report not having an audit trail for the physical destruction process, and 31 percent admitted not capturing the drive serial number. This lack of chain of custody controls means these enterprises are running the risk of data breaches and non-compliance.

The research also reveals that 17 percent of global enterprises use physical shredding or degaussing for end-of-life devices, even though shredding does not always provide a true, certified audit trail that spans the full chain of custody lifecycle.

“Global enterprises are clearly concerned about data when devices reach end-of-life; however, despite knowing the risks involved, many still choose to use an inadequate approach to protect their organization,” said Fredrik Forslund, Vice President, Enterprise and Cloud Erasure Solutions at Blancco. “This points to a huge and worrying knowledge gap within the sector and among senior leaders about the security and compliance implications of physical destruction and end-of-life equipment lying around.”

Other key global findings include:

·       A fifth (20 percent) of global enterprises (33 percent in U.S./Canada and the U.K.) do not have a different process for dealing with SSD drives compared to HDD drives and are running the risk of not having all the data appropriately sanitized and being in non-compliance with industry standards.

·       The enterprises surveyed also reported that 18 percent of their devices are left somewhere within the company with no action. This highlights a huge security issue and one that should be dealt with immediately.  

Key North America findings include: 

·       Enterprises in North America are using different data removal methods to remove data from their end-of-life devices. Fifteen percent are physically destroying devices (both degaussing and shredding), 13 percent are using formatting, 13 percent are using overwriting using free software tools, 10 percent are using cryptographic erasure/encryption and 8 percent are using overwriting using paid software-based tools without certification.

 

·       Seventy-five percent of U.S. and Canadian respondents reported having end-of-life devices stockpiled in their storage. They also admitted leaving them unused for some time. Almost half (44 percent) of companies in North America wait more than two weeks before erasing end-of-life equipment. 

·       A majority (65 percent) of U.S. and Canadian respondents raised concerns about the risk of a data breach with end-of-life equipment, and 70 percent agreed that the number of different devices at end-of-life leaves them vulnerable to a data security breach. Nevertheless, 77 percent still have full confidence in the secure erasure for data sanitization within their organization. 

Key UK findings include:

·       Many U.K. enterprises reported using a variety of data removal methods. A fifth (22 percent) use formatting, 15 percent use cryptographic erasure/encryption, 11 percent use physical destruction (both degaussing and shredding), 6 percent use overwriting using free software tools and 5 percent use overwriting using paid software-based tools without certification. But what’s the most alarming is that 9 percent have no method to wipe data. 

·       Worryingly, 85 percent of U.K. enterprises also confessed having a stockpile of out-of-use equipment sitting in storage. In addition, enterprises are leaving devices unused for some time. Only 16 percent of U.K. companies said they are erasing end-of-life equipment immediately while 35 percent wait more than two weeks to erase devices, adding to the risks of data breaches and lost data.  

 

·       When asked about their security concerns over end-of-life equipment, 52 percent agreed that the plethora of different devices at end-of-life leaves them vulnerable to a data security breach while 57 percent were very concerned about the risk of a data breach with end-of-life equipment, the lowest percentage points from all the countries surveyed. 

For full analysis, read the full A False Sense of Security report here: www.blancco.com/false-security

— ENDS —

Methodology:

The primary research was commissioned by Blancco Technology Group and conducted by Coleman Parkes in August 2019. The sample was comprised of 1,850 senior decision makers including Heads of Compliance, CFOs, Financial Directors, ITAMs, CISOs, IT Security VPs, Data Protection Officers and Heads of Operations, from 1,850 organizations with 5,000+ employees. The sample was divided between the U.K., the United States, Canada, Germany, France, Japan, India, Singapore and Australia and covered several vertical markets: Healthcare, Public Sector, Pharmaceutical, Financial Services, Technology, Defense, Legal, Manufacturing, Energy, Transport and Advisory.

 

About Blancco Technology Group 

Blancco is the industry standard in data erasure and mobile device diagnostics software. Blancco data erasure solutions provide thousands of organizations with the tools they need to add an additional layer of security to their endpoint security policies through secure erasure of IT assets. All erasures are verified and certified through a tamper-proof audit trail.

Blancco data erasure solutions have been tested, certified, approved and recommended by 15+ governing bodies and leading organizations around the world. No other data erasure software can boast this level of compliance with the rigorous requirements set by government agencies, legal authorities and independent testing laboratories.

With Blancco Mobile Insurance, Blancco Mobile Buy-back/Trade-in and Blancco Mobile Retail solutions, organizations can achieve real-time valuation for mobile devices with a simple solution that enables consistent, accurate and measurable testing, including market-leading cracked-glass detection.

Additionally, mobile processors can achieve operational excellence while maximizing profits with Blancco Mobile Diagnostics & Erasure—a purpose-built solution that features our industry-leading Blancco Mobile Workflows for key processing insights across the entire mobile device lifecycle.


 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...