Although not every company is required to protect each speck of data stored on their IT assets, most businesses find it is in their best interest to do so anyway. However, without proper guidelines to cover the vast range of devices storing data such on servers, hard drives, smartphones, printers, facsimiles, tape and other backup media some data can be overlooked by accident.
In a fast paced and ever evolving IT environment, business executives continuously need to recognise new methods for data protection, not only on working devices but on retired IT assets as well.
According to a global survey, more than 605 of consumers say they are unlikely to do business again with a company that experienced a breach where financial information was stolen. In addition, nearly 50% had the same opinion when it came to data breaches where personal information was stolen.
The vast range and volume of new devices being deployed in the marketplace makes it nearly impossible for companies to safely manage and dispose of excess electronics. Most companies are oblivious to the risks associated with asset disposition and theft, failure to mitigate the risks could have dire consequences.
Xperien CEO Wale Arewa says companies must make sure data is legitimately wiped. “Various options for data destruction exist and there are companies who can do this for you. If done correctly, data wiping procedures are generally 99,999% effective.”
To ensure accountability of data destruction, it is highly recommended that this service be outsourced, especially for companies in need of wiping a large amount of hard drives. It is advised to work with a vendor that is capable of maintaining the system development to support ongoing updates as well as fail-safes for scenarios where the wipe is unsuccessful.
“This will help you feel more confident that your vendor is continuing to improve their systems so you know their solution today, will also be viable tomorrow. Your IT asset disposition vendor should have the operational excellence to ensure nothing will slip through the process and they should also be cognisant of continual technological development,” he explains.
Alternatively, some vendors offer secondary verification of hard drives. This is a process where the vendor will take a percentage of the wiped hard drives and verify again that all data is removed. This could provide further reassurance that all data has been removed securely. This type of service is generally done on a regular basis to maintain the quality of the service and ensure data wiping accuracy.
Either way, if data destruction is done internally or through a specialist company, what happens to the physical hard drive? Some companies can offer holistic solutions that also provide the opportunity to reuse or resell the equipment, providing a higher value recovery and a better solution environmentally.
Arewa warns that companies should review the security of equipment during transit. “Electronics tend to be one of the most sought after products when in transit. One of the most important steps is getting the equipment to the facility for data destruction using secure transportation.”
Physical auditing of the transportation process is the best approach to ensuring equipment arrives safely. It is important to note that when a service provider transports retired IT equipment, the risk isn’t automatically removed. If a company’s laptop was stolen from a truck and data were exposed, the company would still be liable.
“Therefore it is always recommended to have a dedicated truck that only holds your material and to ensure there is a seal on the back of the truck that is recorded prior to departure and upon arrival at the processing facility,” he says.
Alternatively, data destruction can be done at the client premises. Mobile shredding vehicles with shredding technology can now physically destroy thousands of hard drives per day. This service can begin with wiping and/or degaussing of hard drives within the office. Hard drives can then be fed through the physical shredding system right then and there.
Arewa says the costs for a service such as this are minimal when compared to the costs that could accumulate as a result of legal liability and fees, and loss of future business.
While it is important to ensure secure transportation of IT assets, it doesn’t end there. The next step is making sure all items remain secure once they arrive. Security and tracking of IT assets, while they are processed at the disposal facility, is also important.
The security features of the building will protect any confidential or proprietary equipment that could potentially be at risk. Alternatively, thorough tracking of assets through serial number capture, scanned barcodes and sophisticated internal reporting systems, will allow one to know where the assets are and also mitigate risk.
There are various legislations that IT asset disposals have to comply to, these laws help businesses identify and understand security measures that need to be put in place. These include the Protection of Personal Information Act 2013 (PoPI 2013), the National Environmental Waste Management Act 2008 (NEMWA 2008) and the Consumer Protection Act 68 of 2008 (CPA), National Health Act, 2003.
In understanding IT disposal security measures more efficiently, IT executives can quickly and easily narrow down their vendor selection.
“While data security is priority, some vendors offer solutions for the hardware disposition as well. If any equipment still holds resale value, refurbishing and remarketing services can be a great way to maximise your return-on-investment. This is an area however, where you must proceed with caution,” he warns.
If an IT asset has undergone data destruction and no longer holds any resale value, asset disposal would be the next step. It is important to ask questions about the final disposition of one’s end-of-life IT assets because if done irresponsibly, the company would suffer the repercussions.
Recycling vendors usually provide certificates of destruction and recycling, and in some cases allow you to witness the destruction, providing you with a certificate of witnessed destruction as well. These documents could be helpful for compliance or security documentation as well as for any reporting or recognition for environmental efforts.
“This service also leaves you with the peace of mind in knowing your old equipment is shredded into pieces, leaving minimal risk for data retrieval,” he says.
As data breaches become more sophisticated there will only be an increasing number of security protocols to watch for.
Company executives must act swiftly, the grace period for compliance to the Protection of Personal Information Act (PoPI) is nearly over. IT disposal has legislative requirements, staff responsible for IT asset management need to understand the principles of IT Asset Disposal (ITAD) and they need to consider regulatory compliance and the protection of company information.
“The PoPI Act will have serious consequences in the near future. It won’t be long before we start reading about companies that have been fined for non-compliance and this in turn will encourage other companies to adopt the principle of ITAD, which will ultimately protect companies from reputational loss,” he concludes.