Trouble in the trash
IT asset disposal is often an afterthought in equipment lifecycle management, but the dangers of data leakage, and worse, are all too real, reports PAUL HEARNS
28 June 2017 |
When it comes to IT equipment, from servers and storage to laptops and smart connected devices, the pace of development tends to focus us on procurement of the latest greatest, rather than what to do with the end of life items.
The reality is that there have never been more options for end of life kit, including refurbishment, re-purposing, re-engineering, donation or just disposal. But at every step, as you let kit go, it must be borne in mind that the data in such items must be properly accounted for.
TechBeat, in association with AMI, asked Irish IT professionals to open up on their IT asset disposal procedures and attitudes, to get some insights as to what happens our old machines when the world has moved on.
The survey was conducted in May with 137 respondents.
There was broad spread of industry categories represented, though IT (51%), legal (10%) and government (8%) accounted for more than two thirds.
The respondents were first asked about the refresh cycle of desktops and laptops, a primary source of the material in question. Nearly 1 in 4 (38%) said every 3-4 years, followed by 4-5 years (30%). One in 10 said every six plus years, with the same proportion saying every 2-3 years, and almost the same (9%) indicating every 5-6 years. Small proportions (2%) said annually or every 1-2 years.
“Nearly half of respondents say that their organisation waits up to four years or longer before replacing its IT equipment,” said Philip McMichael, managing director, AMI. “Companies should be aiming to replace this equipment within in a maximum of a four-year timescale. Standard warranties on most hardware tend to last up to three years, and so after this point companies may find themselves facing a number of issues. These can range from compatibility issues when it comes to integrating new devices with old equipment, to security and performance issues stemming from lack of manufacturer support.”
When it came to why assets were disposed of, the majority (65%) said it was due to old devices being unable to perform sufficiently. However, a third indicated equipment being no longer supported or under warranty. In the multi-choice option, hardware failures (27%), hardware capacity (20%) and reliability for business continuity (20%) also figured.
“The fact that ‘old devices slowing people down in work’ is the main driver prompting organisations to replace their IT equipment highlights that organisations are leaving it too long to upgrade equipment,” said McMichael. “In an ideal scenario, computers should be replaced long before users start noticing slowdown, and definitely before the point of a hardware failure. It’s also critical that companies don’t forget about their servers when they consider upgrading equipment. Continued use of old servers long past their retirement date could seriously threaten your organisation’s business continuity.”
As regards the dangers of data loss, the amount of time an asset sits before action is taken can be a major factor. More than one in 10 (13%) indicated that assets could sit around for between 2 and 5 plus years. This contrasts with more than one in five (22%) who said up to 2 months, but the largest proportion, some 40% said between 3 and 12 months.
“This response highlights the number of organisations that don’t have formal processes in place to cover the disposal of end-of-life IT,” McMichael observed. “This is clear as it wouldn’t take a company that did have such processes in place longer than six months to take action to move or process this equipment. Realistically, to minimise the risk of a data breach, end-of-life assets should remain on premise for as short a time as possible. At the very least, equipment should be moved / processed every quarter.”
“The statement by 13% of those surveyed that they don’t know how long these assets remain on-site prior to processing would indicate that, aside from not having a formal system in place to manage disposals, that they also don’t keep records of equipment being stored. Without the ability to refer to precise records, it can be extremely difficult for organisations to account for each and every device.”
Responsibility for IT asset disposal is also a key issue, and answers varied, though a majority was clear. The IT manager (62%) was most nominated, though facilities manager (7%), procurement manager (6%) and the CEO (4%) were also of note.
McMichael commented that while it is positive to see the IT manager most nominated, he noted that the other responses suggest the process is not always correctly managed.
“While IT managers are the most rational choice to take responsibility for arranging secure disposal of old IT equipment, businesses need to think about who will be held accountable under impending General Data Protection Regulation (GDPR) legislation in the event that something goes wrong.
“Blame will not be confined to IT managers alone; CEOs, board members and the senior management team need to be aware of disposal processes and ensure that they align with the incoming regulation. What’s more, everyone in the organisation should adopt an element of the responsibility for ensuring that the appropriate steps are being taken,” said McMichael.
Which of the following are you most typical means of disposal for retired IT equipment? (two most common)
With the ‘who’ ascertained, the ‘how’ needed to be established. More than half of respondents said they send assets to a third party for retirement. More than a quarter (27%) donate to a school or charity, while 16% donate to an employee with almost the same (15%) processing assets through normal IT services. Some 5% just store devices, while 4% return to the OEM or supplier. A now familiar 13% do not know how IT assets are disposed.
“Although it is perfectly acceptable, and in many cases desirable, to donate retired IT equipment to schools or charities, or even to employees, it’s essential that data processing is completed in line with regulations,” McMichael reminds. “The simplest way to do this is to ensure that you utilise a fully auditable disposal partner that can, if requested, also assist with the donation of equipment to charity.”
The respondents were asked how data destruction was managed as part of the disposal process. Almost half (48%) said it was taken care of in house. Almost a quarter (23%) outsource to an offsite third party, while 13% outsource to third party but destruction is performed on site. Once again 14% have no idea how data is destroyed.
For McMichael, this is not altogether positive.
“It is slightly worrying that such a large percentage of respondents are claiming to manage data destruction and wipe or otherwise physically destroy data on-site themselves. Data destruction is a specialist security process that requires advanced tools to ensure that data-bearing equipment is erased to the most stringent global standards. AMI uses data erasure software that is used to perform 50,000 erasures per day worldwide.”
McMichael argues that unless companies are using such tools, that meet or exceed government security specifications, using trained specialists, they should reassess their ability to carry out this process themselves.
Furthermore, respondents who worked with a third party were asked that provider gave certification or formal confirmation of the erasure of sensitive data and identifiers on end-of-life equipment. More than two thirds (68%) said yes, but a significant 32% said no such confirmation was received.
“That that almost a third of organisations that work with a third party provider of IT retirement don’t receive any formal confirmation of the fact that their data has been completely erased is really worrying,” said McMichael. “Organisations that are happy to hand over data-bearing devices without a certification process in place are putting themselves at real risk of a data breach.”
“Moreover, under GDPR failure to properly manage data flows constitutes a data beach, and so these organisations are potentially leaving themselves vulnerable to fines of up to €20 million or 4% of global turnover, depending on which is greater. It is vital that organisations exercise due diligence and insist on the provision of some form of formal confirmation that their data has been erased. This will help to insulate them from data breaches and heavy fines should a breach occur.”
Trust too, is a key element when using third parties, but as the old saying goes, trust, but verify. In that context, some 40% of respondents do not audit third party disposal providers for their security processes. Less than 1 in five (18%) do it annually, while 11% do it every two to three plus years. The don’t knows climb to 31%.
When choosing a means of disposal of devices containing data, what is the most important consideration?
Unfortunately, McMichael says this confirms AMI’s experience in the market.
“In light of GDPR,” he adds, “organisations will need to review this mindset to protect their interests.”
When it came to considerations around the means of disposal for assets, the clear leader (71%) was security, with cost, ease and compliance all featuring around the 10% mark.
The perceived fears for data loss from asset disposal were then gauged. The greatest fear (50%) was company data falling into the wrong hands, namely cybercriminals. Legal fears (16%), brand damage (13%) and future breaches (7%) all paled in comparison.
“It’s interesting to see that companies are most concerned about the potential for their data to fall into the hands of cybercriminals,” McMichael observed, “as this displays an awareness of the growing threat of cyber-crime. While financial loss might previously have been a key concern, this has dropped significantly down the list of priorities.”
“However, while organisations are right to consider this a key risk, they should also be more concerned about the brand damage that can result from cybercriminals getting hold of potentially sensitive company data. This can have long-lasting effects on organisations and, in some cases, even affect their ability to continue trading.”
On a more positive note, respondents were asked about recovering value from asset disposal. More than two thirds (70%) said they do not resell equipment, but of those, 37% would consider it in the future, but a third said they would not allow re-sale. Some 8% say their third party disposal provider remarkets the equipment, while just 4% sell on themselves. A somewhat smaller 17% formed the don’t knows.
“If companies truly are putting security as their primary concern when it comes to processing end-of-life IT equipment, then they should reap the rewards of their due diligence and recover the value of this equipment,” said McMichael.
When asked about magnitude of recovered value, given the small sample size of those who do, the figures were less than conclusive. Some 5% said they recover up to €1,000, while 3% valued it at €3-5,000. McMichael said that last year, the average recovered amount per asset was €100, indicating that it is an avenue worth pursuing. Such recovered value was most often re-invested in IT (28%), but some (7%) donate to charity or re-invest in non-IT initiatives (4%).
Respondents were asked how serious the situation would be if data from a retired device got into the wrong hands. One in four (40%) said it would be serious, with short term financial and reputational damage but not constitute an existential threat. Nearly a third (30%) said it would be very serious but again, not necessarily a threat to trading, though the effects would be felt long term. Nearly one five (18%) said it would not be serious with only limited effects, but 8% thought it would be extremely serious, perhaps forcing the company to cease trading.
Which of the following consequences of failing to correctly dispose of old IT equipment are you most concerned about?
“It’s interesting to see that nearly one-quarter don’t consider this to be a particularly serious issue,” said McMichael. “It’s highly unlikely that any customers or suppliers, whose data they quite possibly have on file, would be quite so unconcerned if their information was to end up in the hands of a cybercriminal or loose on the Internet.”
“Data processors must reassess their attitudes to prepare for GDPR,” McMichael warns, “and simply must ensure that they treat data in their possession with the utmost care. When it comes to disposing of old IT equipment, this means putting security first and leaving other concerns by the wayside.”