White Paper ITAD

Five Ways to Improve Your Security During IT Asset Disposition (ITAD)

laptop keyboard

It’s always in your best interest to protect data stored on IT assets, whether working or not. Without structure or guidance however, data stored within servers, hard drives, mobile devices and other IT equipment could exist even when you thought you had it all removed.

In an evolving environment IT leaders continuously need to understand new methods for data protection. In the last six or seven years U.S. legislation recognized the need for secure data removal when IT assets are collected for disposal, but currently there is no existing federal law regulating the collection and usage of personal data.

Europe took action toward unifying data protection with the introduction of a single law, the General Data Protection Regulation (GDPR). This law came into force in May 2018 and provides structure for businesses anywhere in the world to securely collect, store and use personal information of European Union citizens.

Other parts of the world have laws regulating data privacy, hosting and protection but are either industry specific or don’t cover all devices. Regardless, with advances in technology and the increase in cloud computing and connected devices, any/all regulations will need persistent updates to remain effective.

The development of these data security regulations is largely inspired by the growing awareness of existing data threats and risks. More businesses today are privy to the damage one data breach can cause. Big-named brands who’ve suffered a data breach have had to be the example to the industry and showcase the effects of allowing a (what may have appeared insignificant) gap in security. Compliance issues, lawsuits and reputational damages are among the most destructive and are likely to result after suffering a data breach.

In fact, according to a worldwide survey 81% of consumers would stop engaging with a brand following a data breach. In addition, more than half of respondents (55%) say a company sharing their personal data without permission is even more likely than a data breach (27%) to deter them from using that brand’s products.

Therefore, today businesses are focusing on ramping up their cybersecurity and in knowing this; data thieves may try to search for the less-common security gaps where there may not be as much resistance. Security gaps often overlooked are those that exist during IT asset disposition. Thankfully, there are things you can do to ensure that at least during the disposition of your IT equipment, those gaps are filled.

solid state hard drive

It’s always in your best interest to protect data stored on IT assets, whether working or not. Without structure or guidance however, data stored within servers, hard drives, mobile devices and other IT equipment could exist even when you thought you had it all removed.

In an evolving environment IT leaders continuously need to understand new methods for data protection. In the last six or seven years U.S. legislation recognized the need for secure data removal when IT assets are collected for disposal, but currently there is no existing federal law regulating the collection and usage of personal data.

Europe took action toward unifying data protection with the introduction of a single law, the General Data Protection Regulation (GDPR). This law came into force in May 2018 and provides structure for businesses anywhere in the world to securely collect, store and use personal information of European Union citizens.

Other parts of the world have laws regulating data privacy, hosting and protection but are either industry specific or don’t cover all devices. Regardless, with advances in technology and the increase in cloud computing and connected devices, any/all regulations will need persistent updates to remain effective.

The development of these data security regulations is largely inspired by the growing awareness of existing data threats and risks. More businesses today are privy to the damage one data breach can cause. Big-named brands who’ve suffered a data breach have had to be the example to the industry and showcase the effects of allowing a (what may have appeared insignificant) gap in security. Compliance issues, lawsuits and reputational damages are among the most destructive and are likely to result after suffering a data breach.

In fact, according to a worldwide survey 81% of consumers would stop engaging with a brand following a data breach. In addition, more than half of respondents (55%) say a company sharing their personal data without permission is even more likely than a data breach (27%) to deter them from using that brand’s products.

Therefore, today businesses are focusing on ramping up their cybersecurity and in knowing this; data thieves may try to search for the less-common security gaps where there may not be as much resistance. Security gaps often overlooked are those that exist during IT asset disposition. Thankfully, there are things you can do to ensure that at least during the disposition of your IT equipment, those gaps are filled.

1. Confirm data wiping is executed properly.

ITAD asset tracking

Various options for data wiping exist and there are programs you can purchase or companies who can do this for you. If done correctly, data wiping procedures are generally 99.999 percent effective, a percentage acceptable for the U.S. Department of Defense, the German Federal Office for Information Security (BSI) and the UK HMG Infosec Standard No. 5.

While performing this task internally can be a convenient and more cost-effective solution, we like to point out the statistic holds true only “if done correctly”. Therefore, it is recommended to ensure accountable data destruction by outsourcing this service, especially for companies in need of wiping a large amount of hard drives. It is advised to work with a vendor capable of maintaining the system development to support ongoing updates as well as fail-safes for scenarios where the wipe is unsuccessful. This will help you feel more confident that your vendor is continuing to improve their systems so you know their solution today, will also be viable tomorrow. Your IT asset disposition vendor should have the operational excellence to ensure nothing will slip through the process and they should also be cognizant of any updates or challenges with data erasure. Recently, for example, there have been issues with the wiping of solid state drives and some models of mobile devices.

Otherwise some vendors offer secondary verification of hard drives. This is a process where the vendor will take a percentage of your wiped hard drives and verify again that all data is removed. This could provide you further reassurance that all data has been removed securely. This type of service is generally performed on a regular basis to maintain the quality of the service and ensure data wiping accuracy. If working with a vendor, they can help you evaluate the value of the drive to determine if wiping is needed. In some cases physical destruction of the drive may be more cost effective.

If this is a task completed internally or through a vendor who solely offers data wiping, what happens to the physical hard drive? A couple of companies are able to offer holistic solutions that also provide the option to reuse or resale your equipment providing you with opportunities for higher value recovery and an environmentally responsible solution. It is advised to be very selective if you do choose this route by starting with the development of a comprehensive RFP to assist you in your vendor selection.

2. Review the security of equipment during transit.

Electronics tend to be some of the more sought after products when referring to cargo theft. In a 2018 report, electronics as a product category ranked second most targeted by thieves, and this doesn’t take into consideration the value of any data stored. With a variety of solutions for data wiping the first step is getting the equipment to the facility so these services can be conducted. Internationally there is an association setting standards for secure transportation referred to as the Transported Asset Protection Association (TAPA). The certification available through TAPA is one to note however a physical examination of the transportation process is the best approach to ensuring your equipment will arrive safely.

It is important to point out that when a vendor drives away with your retired IT equipment this doesn’t mean the risk is removed as well. If a company’s laptop was stolen from a truck and data were exposed, the company not the transportation vendor would be liable for any implications of the data exposure. It is always recommended to have a dedicated truck holding only your material with a seal on the back of the truck with the number recorded prior to departure and upon arrival at the processing facility.

Over the past five years more on-site options for data destruction have arisen. Sims Lifecycle Services has mobile shredding vehicles with shredding technology that can physically destroy thousands of hard drives per day. This service can begin with wiping and/or degaussing of hard drives right in your office. Hard drives can then be loaded onto the truck and fed through the physical shredding system right then and there.

3. Verify asset tracking and facility surveillance.

While it is important to ensure secure transportation of IT assets it does not just end there. The next step is making sure all items will remain secure once they arrive. Security and tracking of IT assets while they are processed at the vendor facility is important for a few different reasons. The security features of the building (which should involve restricted access, 24/7 surveillance, on-site guards, metal detectors and more) will protect any confidential or proprietary equipment that could potentially exist. Otherwise thorough tracking of assets through serial number capture, scanned barcodes and sophisticated internal reporting systems will provide you with the ability to understand where your assets are and track these items for internal records.

There are certifications that are valued in the industry which are aimed to help businesses identify and understand security measures in place. In understanding security measures more efficiently, IT executives can quickly and easily narrow down their vendor selection. A few of the top security standards that recyclers or data destruction vendors may hold around the world might include:

  • ISO/IEC 27001 is a standard that introduces best practices for organizations to manage the security of assets such as financial information, intellectual property, employee details or client data. This global certification is valued among the other ISO standards and is one becoming more common in the IT asset disposition industry.
  • Assured Service (Sanitisation) Scheme (CAS-S) offered by NCSC for companies wishing to provide sanitization services to owners of highly classified Government data.
  • The National Association for Information Destruction (NAID) is the standards setting body for the information destruction industry. NAID AAA certification verifies the qualifications of certified information destruction providers through a comprehensive scheduled and unannounced audit program. This rigorous process supports the needs of organizations around the world by helping them meet numerous laws and regulations requiring protection of confidential customer information.

4. Understand resale channels and confirm ethical methods for reuse.

While data security is priority, some vendors offer solutions for the hardware disposition as well. If any equipment still holds resale value, refurbishing and remarketing services can be a great way to maximize your return-on-investment. This is an area however, where you must proceed with caution.

Most of the time it is ideal to work with one vendor. However even if you are comfortable with one service your vendor provides, it is smart to do your own due diligence and understand all services offered, as if you were using separate companies for each service. In the long run it will prove worthy of your time.

Potential risks include:

  • Selling equipment with recoverable data,
  • Poor tracking of assets (leaving question to the inventory of remaining assets), and/or
  • Inaccurate pricing of items (foregoing potential returns).

There are a few things you can do to add credibility to a vendor’s reuse processes.

Determine how items are resold

If a company uses an ecommerce platform, such as eBay, look up and review their profile to understand their user ratings and become familiar with the inventory and buyers.

See the process firsthand

If possible, go to the site and witness the operation in action. Do the employees appear to have strict standards and protocol? Are the services conducted in a secure environment? Are items being handled carefully, and are they cleaned prior to being packaged and resold?

Often knowing and understanding the infrastructure can provide a better eye for questionable processes.

5. Confirm end-of-life assets are shredded and recycled

If all data has been destroyed and an IT asset no longer holds any resale value, end-of-life disposition would be the next step. It is important to ask questions about the final disposition of your end-of-life IT assets because if done irresponsibly your company would suffer grave repercussions. There are parts of the developing world illegitimate recyclers have used to dump old e-waste. If your equipment ended up in a third-world country someone could potentially pull the asset tags and determine you were a company contributing to the toxic environment and wrongful disposition of e-waste.

Whether you or your vendor is managing data wiping the process should include removal of hazardous components, shredding of equipment and then separation of the shredded commodities. Those commodities of value are then sent to downstream recyclers for reuse. Refined commodities are sold to manufacturers to be made into new products. Recycling vendors will provide certificates of destruction and recycling. In some cases you can witness the destruction providing you with an additional certificate. These documents could be helpful for compliance or security reporting or might serve as recognition for environmental efforts. This service also leaves you with peace of mind in knowing your old equipment is shredded, leaving minimal risk for data retrieval.

As data breaches become more sophisticated there will only be an increasing number of security protocols. SLS recommends on-site data destruction when possible. The on-site services provided by SLS provide high-level security services that offer businesses maximum return. These five considerations will help validate your vendor selection and avoid risks tied to data exposure as a result of IT asset disposition.

Data Legislation

In an evolving environment IT leaders continuously need to understand new methods for data protection. Only in the last six or seven years has U.S. legislation recognized the need for secure data removal when IT assets are collected for disposal, but currently there is no existing federal law regulating the collection and usage of personal data.

Europe began taking action towards unifying data protection with the introduction of a single law, the General Data Protection Regulation (GDPR). This law was recently adopted in April 2016 and is coming into force in May 2018 and will provide structure for businesses anywhere in the world to securely collect, store and use personal information of European Union citizens.

Other parts of the world have laws regulating data privacy, hosting and protection but are either industry specific or don’t cover all devices. Regardless, with advances in technology and the increase in cloud computing and connected devices, any/all regulations will need persistent updates to remain effective.

The development of these data security regulations is largely inspired by the growing awareness of existing data threats and risks. More businesses today are privy to the damage one data breach can cause. Big-named brands who’ve suffered a data breach have had to be the example to the industry and showcase the effects of allowing a (what may have appeared insignificant) gap in security. Compliance issues, lawsuits and reputational damages are among the most destructive and are likely to result after suffering a data breach.

Nearly two-thirds (64%) of consumers are unlikely to do business again with a company that experienced a breach where financial information was stolen.

In fact according to a worldwide survey nearly two-thirds (64 percent) of consumers say they are unlikely to do business again with a company that experienced a breach where financial information was stolen. In addition almost half (49 percent) had the same opinion when it came to data breaches where personal information was stolen.

Contact Us

Learn more about how SLS protects your data and extracts value from retired IT assets.

Contact Us