Safeguarding your data is a business imperative. Regardless of size or industry, confidentiality is vital for maintaining the trust and positive public standing your organisation has earned.
Takalane Kashane, MD of Iron Mountain South Africa
But, in an increasingly regulated and privacy-conscious world, the concerns around a misstep are not limited to your business’ reputation alone – between fines from data protection bodies and potential settlement fees, the fiscal impact of a data leak can be enormous.
The threat of an old laptop
Whilst the threat of cybercrime, phishing and hackers gaining access to digital infrastructure is increasingly well understood and mitigated, the risk of a data breach from tangible physical assets must not be overlooked.
Companies that improperly dispose of outdated equipment or seek to destroy documents containing sensitive information with no thought to the privacy concerns involved, put themselves at a far greater risk of harmful data breaches, unwanted disclosures, and vast reputational and financial damage than they realise.
With the lion’s share of business data still being stored on computers, hard drives and servers, repurposing, recycling or otherwise discarding your IT assets appropriately is key.
IT asset disposal should always follow a defined process. Most crucially, whatever the method of disposition, it is always the owner’s responsibility to ensure that any data on the assets is destroyed.
While businesses today do tend to be savvy enough to know that their IT assets should be erased before they dispose of them, what many do not realise is that erasing data effectively is more complex than simply reformatting a drive or deleting files.
So, with this in mind, here is how to ensure that you are wiping data properly, as well as mitigating other data security risks throughout the IT asset disposition (ITAD) process.
Comprehensive data destruction
Data destruction is the most important part of the entire ITAD process. It must never be overlooked or improperly completed. The very first thing you should do when discarding or repurposing IT equipment is to thoroughly remove any data from it, as best as you are able.
However, truly thorough removal requires specific techniques and tools and sadly, it is not sufficient to simply delete files, empty your device’s virtual ‘bin’ or reformat a disc drive. While a deleted file will be removed from directories, most of the data itself remains untouched.
A reformatted drive deletes the pointers to files, but all it takes is the appropriate software to recover most of the content that existed on that device. Instead, purpose-designed data erasure software that complies with the NIST 800-88 standard should be used, or the hardware needs to be completely physically destroyed, if it cannot be wiped.
When entrusting your asset disposal or recycling to a third-party vendor, make sure that they can demonstrate the use of NIST 800-88-certified software or provide proof of the physical destruction and dismantling of the equipment. A reputable vendor will use certified overwriting software to scrub your data entirely, provide audit reports to verify that the data has been completely removed, and provide certificates of recycling, or proof of destruction and appropriate disposal, for every single asset you assign to their care.
The anticipated boom in e-waste
As soon as an asset leaves your IT team’s possession and the confines of the business premises, it becomes vulnerable – and as more and more employees incorporate flexible working into their schedules, the pressure on organisations to keep track of all equipment integrated across their network increases.
Implementing a defined ITAD process and placing the assets in trusted hands for disposition is therefore the natural next step in minimising an organisation’s data security risk, as equipment gets upgraded and employees adapt to new modern working norms.
Indeed, electronic and electrical waste (e-waste) is the world’s fastest growing waste stream, with a report from the UN establishing that the world currently produces as much as 50 million tonnes of e-waste a year. This is expected to vastly increase, with current trends such as hybrid working fuelling predictions that e-waste will reach 120-million tonnes per year by 2050.
E-waste management is a big challenge for many African countries due to a lack of awareness and environmental legislation as well as restricted resources.
A secure and trackable chain of custody
A quality contractor will offer a secure and fully visible chain of custody from the moment they begin handling your assets until disposition is complete. Real-time asset tracking showing the location and status of equipment at all times is optimal here, as not only does it help to ensure that no equipment is misplaced during the process, but it also adds a layer of assurance that third-party interference is impossible.
Ideally, the item will be scanned onto a tracking system immediately and assigned a unique identifier code. The item should then be scanned and logged at every step of its journey, and each time it leaves or arrives at a new facility, until the full data destruction or, if applicable, successful repurposing of the asset has been recorded.
Furthermore, it is also important to ensure that any processing facilities your assets go through have adequate fire protection, power, HVAC and communication systems, as well as security guards, secure entry systems (i.e., key card entry) and video surveillance.
The improper disposal of IT assets exposes your organisation to unnecessary risks that can otherwise be reasonably avoided. It is well worth adhering to best practices and/or engaging a reputable contractor for this process, so that your chances of suffering any form of data breach are minimised.
The average cost of a data breach is now nearly R50-million, while breach costs have increased by nearly 20% over the last two years. As data protection legislation continues to tighten across the globe, ensuring that all data is fully expunged from any retiring IT asset and that equipment is recycled, repurposed or destroyed in a secure and compliant way, is one of the most critical steps in your entire data security system.
Ensuring a compliant disposal procedure for all your organisation’s data, be it physical or digital, will also ensure that your business can keep track of its environmental impact more successfully, with a view to improving its sustainability across the long-term.