According to a large international study carried out in France and in eight other countries by Coleman Parkes Research, large companies have significant data management shortcomings. The main cause is the lack of sanitation once the terminals have reached the end of their life.
Its title sums it up perfectly: “A false sense of security.” A study *, commissioned by the Blancco Technology group and carried out in August 2019 by Coleman Parkes Research, warns of poor practices in terms of data management. While computer attacks of all kinds are increasing internationally, large companies would demonstrate an “exaggerated trust” , unfounded, which would result in increasing the risk of hacking. If 61% of them say they are “very concerned” about them, 68% paradoxically admit that they use a large proportion of end-of-life devices … which makes them a target of choice.
Among the 1,850 business leaders surveyed, 251 are French. Based on their statements, the study estimates that around “one in two takes considerable risks when cleaning up the data” . Unsuitable methods, such as formatting, overwriting using non-certified tools or physical destruction (demagnetization, grinding) without audit, are at the top of the vulnerability factors (47%). Ways of doing things that “leave the door open to security and compliance problems” , according to the study, which points out that 8% of companies simply do not carry out remediation.
Another downside for companies: their annoying tendency to accumulate reserves of non-operational equipment on site – up to 87% of them in France, the maximum of the nine countries studied. Thus, only 2% declare immediately erasing data from end-of-life equipment, while 75% wait at least two weeks. “Failing to maintain a clear chain of responsibility” , 28% of large French companies even claim not to have an audit trail for the physical destruction process … and 36% say they do not record the serial number of the disks concerned.
A SITUATION TO ADDRESS IN EMERGENCY
The study reveals other trends. Out of 100 large French companies, 20 have not implemented a differentiated process for SSD and HDD drives, running the risk of not deleting all their data and of not complying with the standards in force. In addition, the companies surveyed reported that 20% of their devices are stored within their premises without being subject to specific measures. “A situation which highlights a huge security problem, which they must immediately remedy,” say the authors of this barometer.
“Large French companies worry about data when their devices reach the end of their life. Although they are aware of the risks involved, many of them still decide to adopt an inadequate protection approach , explains Fredrik Forslund, Vice President of Erasing Solutions for Large Businesses and Clouds at Blancco. This highlights huge, worrying gaps in this sector and among French leaders regarding the security and compliance implications of physical destruction and storage. equipment at end of life. ”
BETTER INTERNATIONAL, BUT THE SITUATION REMAINS PROBLEMATIC
Internationally, the situation seems slightly better … even if similar biases are noted. Many multinationals also claimed to use different methods of data deletion. Out of 100 companies surveyed: 17 declared to use physical destruction, 13 to erase or encrypt encryption, 12 to overwrite with free software and 7 using paid software. “It is particularly worrying to note that 4% of the foreign companies questioned do not use any method of data cleaning , ” notes the study.
Almost as many companies as in France admit to stocking IT equipment out of service (80%). Only 13% say they immediately erase their end-of-life equipment, compared to 57% within two weeks at best. When asked about their safety concerns related to end-of-life equipment, almost three-quarters of them (73%) agree that the number of end-of-life devices makes them vulnerable to data piracy and more than two thirds (68%) have real concerns about the risks of cyberattacks linked to these same devices. If, in France and abroad, awareness of the risks involved is developed, there are therefore far too few acts.