Governments not up to date on effective means of data erasure on SSDs

The new report, from data erasure vendor Blancco, says this should be an opportunity for channel partners, who can show public sector customers how save money while also managing their security concerns.

Alan Bentley, President of Global Strategy at Blancco

New research from data erasure provider Blancco Technology Group has been released to spark discussions on policy reform regarding device sanitization options within the public sector as an alternative to their destruction. The data show that a considerable amount of money is wasted destroying SSDs which are not required to be destroyed, and which could have been sanitized and returned to use for less.

“Generally, the findings were a confirmation of what we believed we would find relating to the understanding of security methodology around destruction, the costs associated with it and the treatment of the drives,” said Alan Bentley, President of Global Strategy at Blancco.

The survey found that the public sector organizations examined spend as much as $USD 17,000,000 annually on the physical destruction of SSDs. Replacing them cost another $USD 40,000,000, for a total of $USD 57,000,000 for destroying public sector technology that is often still usable.

“Some types of SSDs, notably that which contained classified or secret material, are required to be destroyed by law,” Bentley said. “There’s also a blur between classified and non-classified, which results in lots of SSDs getting destroyed when an organization has not actually made a determination that they should be destroyed. The report found that while 41% of respondents say physical destruction is legally required to physically destroy SSDs that contain classified data, they destroy all SSDs ‘just in case.’ The two most important issues with this in my mind are the environmental and security issues. Cost becomes the third piece of that equation.”

“Theres a lack of understanding, as well as a lack of policy understanding and clarity,” Bentley added. “Through conversations with the public sector I’ve learned that one of their hardest challenges is to get policies changed. It has to come from very high up. You need to make sure SSDs are not physically destroyed unless they fit specific use cases A B or C. Many put a plan in place because of pressure to do so, but higher-up drive is needed to get it implemented. Research also shows many don’t understand that physical instruction isn’t the cheapest ways to deal with SSDs which are not required to be destroyed. People understood the concept of non-reuse, but didn’t understand the options, There’s a lack of understanding there, as well a lack of policy understanding and clarity.”

Canada did relatively well in the survey, however.

“One positive in the results was that Canada was above average,” Bentley said. “80% of respondents in Canada and 72% globally had plans in place to reduce the impact of IT destruction. That was a positive. There is a difference, however, between expressing commitment to do something and actually doing it. Still, we are encouraged that so many had put plans in place.”

Other Canadian data include an average annual public sector spend on SSD destruction and replacement of between $4.3 and  $4.6 million dollars, that      16% of respondents are actively implementing plans to reduce impact of IT equipment destruction, that 70% of respondents use reformatting to sanitize drives, and that 38% of respondents believe that physical destruction is cheaper than alternatives.

The U.K. numbers were even better, however.

“The UK government has been at the forefront of driving change around organizational impact issues,” Bentley commented. “It makes organizations be more inclined to think about way they can make changes.”

Still, awareness of the most cost effective and efficient way of reformatting drives remains relatively low in the public sector.

“People think that reformatting a drive is an acceptable method of sanitization when it isn’t,” Bentley said. “For the people who are running these processes, even though they have specialized knowledge, it’s still just a much smaller part of the bigger picture of what they do. If no one is shaking their tree, they don’t see a need to do things. There is a lack of desire to make change.”

Blancco, which sold direct for much of its history but evolved in more recent years to a channel-first model, sees helping public sector customers make these changes as a major opportunity for them.

“Channels need to be able to articulate to their customers that there is a cost savings for them, and that they can manage their security concerns at the same time, Bentley indicated. “Customers still have a requirement for help in implementing these plans.”

Blancco’s study, The Price of Destruction: Exploring the Financial & Environmental Costs of Public Sector Device Sanitizationinvolved discussions with 596 government IT leaders across nine countries. For the approximately 70 organizations surveyed in each country, the costs for SSD destruction and replacement reached between $6.9M and $7.3M for the U.S. and between $6.4M and $6.9M for the U.K.