The problem with IT asset disposal projects is the chain-of-custody of equipment. Often during audits, equipment is unaccounted for and untracked. The IT director is normally the first person to be accused but then the blame is shifted to the disposal vendor for taking an inaccurate inventory. Then finally, the truck driver is accused for stealing the computers on route to the recycling facility.
Xperien CEO Wale Arewa says securing sensitive data is a daunting task for any business. “Data security laws mandate that organisations implement adequate safeguards to ensure privacy protection of individuals. And the penalties for data breaches are tough.”
Unknowingly, employees often donate old IT equipment to charity organisations or schools that are in desperate need of computers. However, before doing so, they fail to ensure that the hard drives are erased properly. What employees view as a trivial act, is in fact a serious data security threat that could create massive liability for the company.
Most organisations take data security seriously and spend exorbitant amounts on IT security including firewalls, network monitoring, encryption, and end-point protection. Although they spend millions guarding against hackers, they often overlook one crucial element of data security – theft of the physical hard drives.
Arewa says many businesses now rely on expert assistance. “The fact that certified electronics recyclers are transporting retired IT assets to vendor facilities to be processed and sanitised can create a false sense of security that blinds executives to the biggest threats. First, there is still the possibility that assets can be lost or stolen in-transit.”
Chain-of-custody is the foundation for indemnification and transfer of liability. It only takes a single missing item to cause a breach. Only a careful, objective examination of tracking data can confirm chain-of-custody — or reveal potential liability.
Company executives must prevent employees from taking retired computers and by acknowledging the risks and inherent conflicts-of-interest surrounding retired assets, will result in more effective ITAD policies and adequate safeguards.
Applying established incident-response procedures to the process of ITAD can help raise awareness of unappreciated vulnerabilities. More importantly, educating senior management about the risks will hopefully secure the resources needed to prevent an ITAD-related breach.
“Treating IT asset disposal as a reverse procurement process will deter insider theft,” he says.