Closing the security gaps in Hardware Disposal

How much money does your company spend on Cyber Security each year?  I am guessing it’s a lot.  Probably not as much as the US Government, which is projected to spend $16B – yes with a “B” – on Cyber Security in 2016.  This is clearly an extremely important area of focus to garner so much investment and attention.  Companies are always working to strengthening their firewall, driving more secure passwords, and educating their employees on best practices.   I would be shocked if your company was not on top of these aspects of cyber security, given the staggering amount of money and effort that goes into preventing hackers from getting into your company’s IT infrastructure.  What is also staggering is how little companies focus on the disposal of the very assets that they spend so much effort and money protecting when these assets are connected to their network.

While it seems that we see spectacular data breaches performed by hackers in the press on a daily basis, there are also the mundane data breaches caused by the improper disposal of data bearing devices.  While they might not get the same coverage by the press, they are just as damaging.   When companies dispose of data bearing devices improperly, thieves can steal them, harvest company and customer data, and sell them to the highest bidder.  Each one of these data breaches can cost a company in upwards of $3.9 million per occurrence.  Privacy Rights Clearinghouse has been keeping track of the number of data breaches since January, 2005 on their website, http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP, and the frequency and number of these occurrences is frightening.

A company was curious about how well hard drives are wiped before being resold on the secondary market, so they purchased 200 used hard drives to see what information was still accessible.   (http://www.scmagazine.com/recycled-hard-drives-rich-with-residual-data-study/article/506361/).  The results were not encouraging – 67% of the hard drives had personal data, while 10% had company sensitive information on them.  With all the staggering sums of money and effort spent on keeping data safe, it’s amazing to think that the same data is eventually handed over to the highest bidder.  That will not be a pleasant conversation with senior management.  This is a direct result of companies not treating the disposal of used IT Assets with the same care they spend protecting their network from cyber-attacks and hackers.

There are three things that companies need to evaluate when they are selecting a vendor to handle the disposal of IT Assets.

  1. Data Security
  2. Environmental Compliance
  3. Economics

This really is the order of the vetting criteria.  It is amazing how after all that money is spent on firewalls, security protocols… the exact opposite risk/value equation is used here and economics is the deciding factor.  As an IT professional, your number one objective is to prevent data breaches.  Billions are spent on protecting the equipment live, which is all for not if the hard drive is handed over to a thief full of data post decommissioning.  Yes, removing data from a hard drive prior to disposal does cost more, but what is the cost to your business’ brand by not removing that data.  And it’s not only measured in dollars.

Environmental compliance is not only the right thing to do, but the less expensive option. When one considers the impact to your company’s brand when the media finds out those are your IT assets is in a landfill where children are playing, it’s the right thing to do.  So yes, the short term cost of disposing of your equipment might be higher if you use a quality IT Asset Disposal vendor, but the long term cost will be lower and less painful.

What can you do to properly dispose of your IT Assets?  Use quality and certified vendors.  Given the importance of this service to the industry, there are governing bodies that have certification processes to help companies vet potential vendors.  For security, NAID (National Association for Information Destruction) offers a rigorous certification procedure on facilities and processes to ensure the comply with best practices.  For environmental compliance, there are a few different certifications – R2 and E-Stewards being the standards.  So do your homework before you select your vendor for this critical task.  The industry is mature enough to make it pretty easy to find a trustworthy partner to prevent your company’s confidential data from being sold to the highest bidder.  You did a great job researching the best vendors and products to keep your IT Infrastructure safe.  Spend some time on the backend of the process and make sure all your previous hard work protecting your company’s data doesn’t go to waste during decommissioning.