If you’ve never seen a line of kindergartners marching out of a schoolyard hand in hand, the drill goes something like this: Count the kids, file them out, count them again as they file back in. That’s how a teacher ensures that everyone’s accounted for.
It sounds like common sense, but unfortunately, a lot of companies could learn something from this simple exercise when it comes to securing digital information. As the amount of data stored digitally continues to increase, companies are doing all kinds of things to secure private and corporate information. The problem is, many are leaving a gaping hole wide open when they dispose of old computers and other IT equipment.
Companies face many risks when it comes to data breaches. Some occur digitally, some occur when a piece of hardware is stolen from the site, but the one we tend to hear about least often is the risk of disposing of IT assets.
So what can companies do to ensure they’re protected from all sides? We talked to Kyle Marks, CEO of Retire-IT, about some of the most common risks companies face during disposal. (Learn about some of the environmental factors involved in IT disposal. Check out What Happens to E-Waste?)
Companies may not like to think about it, but the greatest risk of a data breach actually comes from IT staff. After all, who is most often responsible for handling the disposal of old computers and other electronics on site? Handing all the responsibility over without controls is tantamount to "allowing the fox to guard the hen house," Marks says. Unfortunately, that's exactly what many companies do.
"By far the biggest risk is before the assets are picked up. Because the people who are responsible for the process are the ones who would report anything missing, they can steal the equipment before anything has been processed," Marks said. "The data’s still on the machines, the network key’s still on the machines. If something gets taken before a qualified vendor can properly process it, it’s gone for good."
Does that mean companies should assume their IT staff will be crooks? Of course not. But a good organizational structure isn’t built on trust, it’s built on controls. That means creating a written policy, enforcing rules and ensuring that there is adequate oversight of those who handle discarded machines.
Marks says that many companies work directly with a recycler to dispose of IT assets and assume they’re covered. The reality is that maybe they are and maybe they aren’t. The best recyclers inventory everything and wipe the hard drives, but Marks says that it’s hard to be assured that’s actually happened.
"We recommend that you destroy/secure data before a move, and that the recycler do it again," he said.
Marks also recommends what he calls a "reverse procurement process" to ensure that any retired equipment that's sent out the door is accounted for right until it’s destroyed.
"Organizations are procurement minded. If you purchased 100 computers and only got 99, it would be noticed. But if a company disposes of 100 computers and one goes missing, it isn’t account for," Marks said.
Reverse procurement involves the use of disposal tags to reconcile inventories, along with establishing and verifying controls, and wiping data on site before sending machines away.
"I’m not advocating that every time a company disposes of equipment they need an armored vehicle to take it to the recycler, but an old computer could mean billions in liability, so it does deserve some attention and some planning up front," Marks said.
A qualified asset disposal vendor can help coordinate these efforts, Marks says, and help companies protect themselves against data leaks.
With more than 550 laws that affect IT asset disposal, it’s crucial that companies get it right, both from an environmental and a security perspective. In 2012, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) stressed that organizations must have access controls in place to safeguard hardware – even retired equipment. And, as lawsuits against companies that sustain data leaks as a result of asset disposal emerge, it’s clear that companies that fail to safeguard sensitive data and private information could face legal sanctions. A company's responsibility for its data, therefore, starts at the point at which it’s entered into the company's system until the hard drive on which that information resides is destroyed.
Plus, Marks says, if data does leak and companies are found to not have taken appropriate precautions, defending themselves against lawsuits will be much more difficult.
"In cases where there are assets that are unaccounted for, how can you defend that?" he said.
How to Throw Out an Old Computer
Disposing of IT assets has become much more complicated than simply throwing them away. But while companies typically spend lots of time and money looking after data security when equipment’s in use, it’s often overlooked when it’s time to dispose of those very same items. As lawsuits against companies who "lost" data during hardware disposal or recycling continue to emerge, it’s clear that retired equipment can pose just as much of a security risk as the hardware that's still in use. And while many individuals worry about the safety of their data and the consequences a breach could have for their privacy, it’s clear that if data isn’t disposed of properly, companies stand to pay a heavy price.