Blancco Technology Group has released new research into how regulations, AI and environmental, social and governance goals are changing enterprise data disposition.

The report has stated that stolen devices and drives are a more common method of data loss than either ransomware or stolen credentials.

About the report

The survey of IT leaders has reported that AI and regulations are driving change in data disposition – leading to an average increase of 46% in compliance investment.

The Blancco 2025 State of Data Sanitisation Report is based on the responses of 2,000 cybersecurity, IT and sustainability leaders from North America, Europe and APAC.

The report unpacks how some of the world’s largest organisations are navigating end-of-life data management amid changing regulations, environmental targets, security strategies and AI adoption.

Data loss management and the threat of AI

The report found that in the last three years, 86% of enterprises have experienced a data breach and 73% of enterprises experienced a data leak.

The most common data losses were through phishing-related breaches according to (54%), followed by improper network configuration (46%) and stolen devices or drives with sensitive data (41%).

By comparison, data breaches due to weak and stolen credentials were reported by only 36% and ransomware by just 32%.

With this risk, Blancco state that businesses should limit the amount of data they hold however the organisation acknowledges that the advances in technology can make this difficult.

A quarter of respondents from the report state that AI has increased the amount of redundant data individuals hold with just over a fifth having articulated that AI is making compliance more difficult.

On the flip side, according to the report many claim that AI is actually helping with data loss, with more than 50% using it to help clearly define data retention and sanitisation.

Compliance complexities driving investment

According to Blancco the landscape of data protection and privacy regulations, cybersecurity frameworks and data destruction best practice standards are complex, with updated standards, national and supra-national regulations and industry-specific demands.

To help meet this compliance burden, more than half of businesses, according to the report, are increasing their investment in this area and the average increase in investment is 46%.

Many businesses (55%) have policies in place when it comes to data disposition and almost all of the remainder (42%) are rolling out or defining these policies.

The desire to meet these obligations has resulted in unnecessary e-waste, with functional devices and drives destroyed to protect any sensitive data stored.

Balancing data loss management with environmental goals

Depending on the type of device, respondents claim that up to 47% of devices destroyed for data security reasons are still functional and 25% of laptops and desktops and 19% of data centre assets, are refurbished without certified erasure – increasing the potential for data loss.

For 17% of the respondents that had experienced a breach or leak, data compromise was caused by redeployed devices or drives that still had sensitive data from prior use. 

Most of the survey respondents claim that environmental goals remain as important as ever.

90% said that sustainability has at least a moderate impact on data disposal and 77% agree that IT and sustainability teams are working closely on data loss management and the data erasure tools to meet sustainability goals.

“Data protection obligations”

Lou DiFruscio, CEO, Blancco said: “Improper data disposal is a hidden risk – and it’s not talked about enough.

“Every business IT leader needs to understand its responsibilities, seek out the best practices that maintain compliance with data privacy regulations and secure data at the finish line.

“Our State of Data Sanitisation Report acknowledges what organisations are dealing with now, then gives compliance, IT and ESG teams insight into how those issues affect their approach to end-of-life data and asset disposition.

“Many large businesses get it, though our report confirms there is still work to do to meet today’s data protection obligations,” finalised DiFruscio.