The Risks and Costs of The Public Sector’s Device Sanitization and Destruction Practices
New report highlights concern over financial costs and environmental impacts associated with device destruction as well as a lack of data sanitization best practices
By Alan Bentley, President of Global Strategy, Blancco
The pandemic has ushered in a large increase in data breaches and associated costs, and the public sector is no exception – rather, government agencies are a prime target. Between 2020 and 2021, IBM reported that the average cost of a breach in the public sector surged nearly 79% globally. This challenge touches all facets of government services, including healthcare, education, transport, utilities, infrastructure, law enforcement, public services, defense, and more. The same report showed that healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 30% increase.
Public sector organizations are responsible for citizens’ Personally Identifiable Information (PII), Sensitive Security Information (SSI), as well as Critical Infrastructure Information (CII), with all data sources requiring regulatory compliance and protection. With the increased potential for cyberattacks, these organizations have an even bigger responsibility to citizens, and the importance of privacy and data protection is growing among them and lawmakers alike.
New study pokes holes in current public sector data management practices
With the heightened importance and critical role that data security plays in public sector organizations worldwide, we commissioned a study to examine current government IT practices with regards to data management and device sanitization. The study found a lack of best practices is costing government organizations millions of dollars, creating environmental challenges, and putting public sector data at unnecessary risk.
The study, entitled The Price of Destruction: Exploring the Financial & Environmental Costs of Public Sector Device Sanitization, conducted independently by Coleman Parkes Research in December 2021 and January 2022, analyzes data from 596 government employees in nine countries: the United States (U.S.), Canada, the United Kingdom (U.K.), France, Germany, Japan, Singapore, India, and Australia. Fifty-five percent work for organizations between 1,000 and 4,999 employees, and 45% work for organizations with more than 5,000 employees. The findings detailed below show critical opportunities to improve the financial, environmental, and data security practices within public sector organizations.
Unnecessary physical destruction of storage devices costs millions
In some instances, government agencies mandate physical destruction of devices — for example, if equipment is used to store classified or secret data. However, for unclassified data-bearing assets, physical destruction is unnecessary. This missed opportunity to give old technology a new life increases IT operations and materials costs for already fiscally-constrained public sector organizations.
On a global level, public sector organizations represented in the study reported spending as much as $17 million annually on the physical destruction of solid-state drives (SSDs), a data storage device widely used both independently and within laptops, desktops, and servers. Furthermore, replacement costs added another $40 million, bringing expenses up to $57 million for destroying public sector technology.
For 70 organizations surveyed in the U.S., the costs for SSD destruction and replacement reached between $6.9 million and $7.3 million, with 56% of U.S. respondents feeling confident in their organization’s destruction process. Perhaps it is due to a whopping 38% of respondents erroneously believing that physical destruction is cheaper than alternatives.
Given the supply chain issues as global chip shortages intensify amidst global instability and pandemic fallout, being able to increase the reuse and recycling of IT equipment would be immensely valuable from an operational perspective.
The destruction of IT assets is also increasing environmental costs
The fiscal impact is important, but another area where we all lose is the growing concern for sub-par environmental practices. While 58% of the study’s U.S. respondents agree that the reuse of SSDs is better for the environment than physical destruction, and almost all respondents (93%) saying their organization had defined plans to reduce the environmental impact caused by destroying IT equipment, less than a quarter (22%) are actively implementing those plans.
This rise in the creation of e-waste from the destruction of IT assets is in direct conflict with the global objective to ramp up environmentally-conscious practices. These findings underscore the room for improvement in the public sector’s current adoption of sustainable alternatives.
Vulnerable processes for data sanitization are still in use by the public sector
While respondents were mostly well-informed of data protection laws, there were some areas of exception. For instance, 15% of U.S. respondents were “aware of only” of NIST SP 800-88 r1 and reported not knowing guideline details. Furthermore, some respondents’ processes for carrying out compliant SSD sanitization raise concerns. For example, 74% of U.S. respondents said they reformat drives to sanitize them. Unfortunately, formatting alone can still leave drives vulnerable during transport or storage, and much of the data can be recovered with forensics tools easily available online.
Where do we go from here?
There are a few factors that are changing the data management landscape: accelerated digital transformation, rising numbers of public sector data breaches and global sustainability initiatives. The study highlights that there are significant opportunities for policy reform surrounding SSD data protection. While the findings did show that governments and public sector organizations are committing to sustainability improvements, it is incredibly telling that less than a quarter of organizations across the nine countries surveyed have pushed forward with the actual implementation of those plans. This translates to government and public sector organizations globally still spending hundreds of millions of dollars on destroying and replacing perfectly functional IT equipment, including assets containing SSD storage.
Government spending will always get our attention, but with global e-waste projected to nearly double by 2030, and persistent calls to adopt more environmentally-aware government practices, it is increasingly urgent that government organizations consider sustainable alternatives that extend device life, maintain lock-tight data security on end-of-life SSDs, and ultimately save millions of dollars. A path forward could include efforts to work for increased awareness and regulatory reforms, revisiting both policy requirements and tenders for sustainable SSD sanitization when planning for extended asset lifecycles. These are worthwhile and well-timed initiatives to explore as an agency and national policymakers seek to steward financial, environmental, and digital information resources entrusted to their care.
About the Author
Alan Bentley is President of Global Strategy at Blancco, the standard in data erasure and mobile lifecycle solutions. Alan works closely with many enterprise customers and partners to implement data erasure solutions to mitigate security risks and ensure regulatory compliance. This gives him a unique insight into the market and business requirements driving the needs of today’s businesses. Alan has also spoken at industry conferences around the world, including Infosec UK, Gitex Dubai, Govware Singapore, and MWC.
Alan can be reached online at https://www.linkedin.com/in/alan-bentley-7a85421/?originalSubdomain=uk and at our company website http://www.blancco.com/
FAIR USE NOTICE: Under the “fair use” act, another author may make limited use of the original author’s work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material “for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.” As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner’s exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.