4 key elements for a secure data asset disposal initiative
In the era of digital transformation, old IT and office equipment can pile up quickly as organizations migrate to new technologies to innovate, drive efficiencies and enable new ways of working. According to the World Economic Forum, today’s demand for electronic devices is creating the world’s fastest growing waste stream. In fact, in 2018, 48.5 million tons of e-waste was generated from migration, modernization and transformation plans – the equivalent of throwing away 800 laptops every second.
As organizations look to decommission, retire and deactivate legacy technology, they’re often overlooking key security protocols in the process, putting their organizations at tremendous risk.
Consider this staggering statistic: despite 49 percent of organizations reporting they are concerned about security when decommissioning equipment, 63 percent allow their old equipment to pile up in storage without wiping the data, and 60 percent have no IT asset recycling and disposal (ITAD) policies in place to combat this.
No one is arguing the case for proper data management, governance and security protocols at the start of a digital transformation project. But, these principles can’t be neglected during the final stages.
To achieve security during the final stages, organizations must manage each IT asset through its complete lifecycle. This lasts from procurement through retirement.
Companies often diligently use systems and processes to track equipment as part of their ongoing asset inventory, which is especially valuable during the first and second parts of the product lifecycle. But they’re often too focused on managing the data, hardware and systems that are still in operation versus the hardware and systems that are being retired.
Too often this opens the door for major security vulnerabilities that can impact internal and external stakeholders from employees to customers, as was the case with the Commonwealth Bank breach, which revealed the personal financial history of 12 million customers.
So, what are the key security considerations organizations need to keep in mind when building an ITAD policy to keep critical assets and data safe even during retirement?
Start with a framework
Consider creating a decommissioning and asset management plan that makes data removal from hardware devices a key priority. Evaluate the costs of managing an IT asset disposition plan—as well as the potential costs (legal and otherwise) of not doing it.
Keep in mind that the potential cost of a data breach as a result of not having a secure ITAD plan far outweighs the cost of a thorough ITAD program. Bring together everyone who needs to be involved—IT, legal and office management staff, even C-level executives.
Ask questions like: what regulations does your company need to adhere to? On what assets does your critical data reside? Do you need to keep data for a certain amount of time before destroying it?
While no one plan fits all, there are several components that organizations need to include in a well-crafted ITAD plan. This can include:
- Data destruction
- Asset tracking
- Data security standards
- Regulation compliance
Think and act outside of IT
ITAD isn’t just about IT. Take a big-picture approach to make sure your strategy is holistic.
By gathering multiple stakeholders when developing a framework – including personnel within procurement, IT, finance, facilities, legal, environmental health and safety, and security – you can ensure that your ITAD policy is all-encompassing. Without insight from multiple areas of the business, it’s easy to overlook key factors that could ultimately have negative repercussions for the whole company.
For example, many companies are beginning to implement donation programs where they will donate old IT equipment in an effort to give back to their communities. This often exposes businesses to risk as their data isn’t properly destroyed before donation. Because the IT department may not be involved in these community-focused programs, it’s imperative to include different stakeholders in the ITAD development process.
Additionally, taking input from multiple stakeholders helps to encourage buy-in from their respective areas. This can facilitate easier adoption of the ITAD policy across the business, as each area feels ownership in developing the policy.
Incorporate regional differences
Similarly, it’s important to gather insights from different geographical regions where the company operates. However, these regional policies may conflict, making one comprehensive policy challenging to develop, especially true for large multinational organizations.
To remedy this, I suggest building one core policy that aligns with the main business strategy, and then recommend they make modifications according to geographical operations or divisions as necessary.
Address potential risks
As important as it is to involve multiple stakeholders throughout the process to make sure all departments understand the purpose of an ITAD plan, it is equally important to make known the consequences should people fail to comply with the formal plan. Particularly in today’s business landscape, where data breaches are omnipresent and trust between consumers and companies are at an all-time low, employees that do not adhere to the policy should understand the potential for disciplinary action if they don’t act in accordance with the policy.
In addition, any employee who becomes aware of a violation should be encouraged to report the issue in a timely manner.
As the threat landscape continues grow, regulations are getting more complex compound and the number of devices explodes, having an ITAD policy will continue to increase in importance especially for companies going through multi-year transformation plans.
For companies operating without one or for those who are disposing of IT assets without holistically considering these key essentials, the risks to the business are clear. It’s imperative to implement an ITAD policy now to protect the business, employees and customers from harm. In fact, it is irresponsible not to; the stakes are too high to discount the importance of security – even during the final retirement phase of data and IT.