Unravelling the Minefield of End of Life IT Equipment

The average cost of a corporate data breach is now estimated to be $4 million¹. Many people focus their concern on the potential fines; however, the largest impact comes from the cost of cleaning up after a data breach and the loss of customer confidence resulting in reduced revenue.

It is estimated that over 2 billion gigabytes of data are created every day across the world. Our use of storage is growing exponentially, and with it, so are the risks and potential financial losses.

Data security is always one of the highest priorities for any IT manager, with huge amounts of time and money invested in network security, penetration testing, encryption, anti-virus software, patches and updates, and everything else security experts like to talk about. However, after several years of working in the ITAD industry, one thing I have noticed is that what happens to kit at the end of its life is, in many cases, not at the top of people’s priority lists. This is probably because new equipment and software is much more interesting to focus on than what to do with your old kit when you have finished with it. I have seen many tenders from customers performing large scale refresh projects where there are literally hundreds of pages of requirements and questions around the new equipment, and then at the very end of the document there is a single question or specification that simply says, “All legacy equipment being replaced must be disposed of in a secure and environmental friendly manner.” This is usually followed by a question about how much money the customer will get back for their used equipment.

At the other end of the scale, there are companies out there that are obsessed with data security and have very strict ITAD policies. Many of these companies demand services where the security level is appropriate for the handling of government data that could lead to World War 3 – when in reality, the data could at worst give away information readily available on the Internet.

There are many ITAD sales people that fan these flames of paranoia by pushing for on-site shredding of hard drives, high security logistics, or a 7 pass data wipe. But remember, it is in the interest of the sales people to sell you the most expensive option possible so that they can maximise their commissions.

There are many things to consider. For example, should data be destroyed at your own site or is it OK to be done at the ITAD provider’s site? If you are moving kit around, what level of logistics services do you need? This includes considerations such as:
1. Do you require scanning of items to enable full asset tracking?
2. Do you require vetting of logistics staff?
3. Should vehicles be hard-sided or not, and should they be branded or unmarked?
4. Should the vehicles be dedicated or shared?

Then there is the question of which data destruction method to utilise; there are many different ways to destroy data, and these have varying levels of security and cost. Options include:
1. A single pass wipe which means drives can be reused and provide a residual value return.
2. Multiple wipes, increasing the level of security. This still protects the residual value but adds cost.
3. Degaussing, which removes the ability to resell the drive and has no visual indicator that it has worked, but is a cheaper alternative to shredding when performed at customer sites and is often more practical.
4. Crushing/drilling/pinning – these are other low cost options, all of which show physical evidence that they have been completed and deter ordinary criminals. However, these methods destroy the residual value of the unit and the data is still present on the platters despite them not being able to spin up.
5. Shredding, which is the most secure form of data destruction and is typically used for the highest levels of secure data, but is expensive and destroys the residual value.

What it is important to understand is that one size does not fit all when it comes to IT disposals; what suits one company may not suit another, and there is a good chance that different business units within the same company will have different needs.

I have heard many times that physically destroying the hard drives at your own site is always the best option; and in many cases, for very highly sensitive data it may be. But as an NHS Trust in the UK found out to its cost, this isn’t always the case. The Trust in question was fined for a data breach after a hard drive was found on eBay containing patient data that was supposed to have been destroyed by the Trust’s ITAD provider through on-site shredding. On-site shredding doesn’t guarantee security if you don’t watch every single hard drive go into the shredder yourself or you don’t have proper audit records.

There are a few pitfalls with what is seen as the most secure option available. Since it can be quite expensive to shred hard drives at customer sites, many companies stockpile large numbers of drives to be shredded at once, because that makes the most financial sense. The problem with this is that the longer you keep data around, the more chance there is of something getting lost or someone stealing it. You are much more likely to have a data breach caused by a member of your own staff than by a disposal company. In some cases you would be better choosing an alternative data destruction method if it would dramatically reduce the time the data is still on the drives.

Most mobile shredders are built into large trucks, and many customers – particularly those based in city centres – do not have space for these mobile shredders. This can lead to the work being done in a van parked on a road outside your office, which isn’t exactly a controlled secure environment and could be less secure than performing the work at a reputable secure ITAD facility.

Then there is the cost element; not only is having drives shredded at your site normally more expensive than other disposal methods, but you are also destroying the value in the product being shredded. Now, if you do have very commercially sensitive data or you are dealing with government contracts that could lead to the collapse of your country, then the cost shouldn’t even be a consideration (and I am hoping you will have a secure perimeter within which the shredding vehicle can be parked). But if you have a dumb terminal in a call centre with no sensitive data stored on it, you are clearly wasting your money.

It is advisable to assess the level of data you have within your business and the potential damage it can do, and to then do a full risk assessment, balancing the potential risks against the financial costs and also what is physically practical.

For some businesses, the physical locations of equipment may make on-site data destruction impossible, as wiping and degaussing require power and other physical methods require the space to perform it. In other cases, a business may have the perfect area set aside with space and power for activities like this.

The key to getting disposal right is to engage with the right people within your organisation and externally. Your security team will always want the most secure option; your procurement team will always want the cheapest option that can generate the maximum residual value returns; your project management/service management team will want the most practical solution to deliver the most seamless end-user experience possible; and your external suppliers will have their own agenda and profit margins to worry about. The hardest part of all is to balance all of these different needs to make sure you do the right thing for your company – protect it from risk, reduce the total cost of ownership and minimise the cost of change for IT refresh projects, while giving the end users a service they are happy with.

Finding the right ITAD partner is key to getting this delicate balance right. Look for a supplier that has long-standing customers, because suppliers that keep the same customers for decades usually do this by looking after their customers and providing them with the service that is best for their needs, rather than the service that is most profitable for the supplier. It is advisable to talk to potential providers and look for one that is able to offer a range of services to meet your different needs, and that is willing to get to know you and your requirements and provide a service that is going to work for you. Services need to be appropriate for your level of data and your budget, and fit in with what is practical for your business.

It is not unusual for some of the large companies I have worked with to have several different processes set up for different parts of their business. Datacentres contain vast amounts of data that requires additional security, and home workers with encrypted laptops require a very different logistics service compared to bulk collections of unencrypted desktops from a call centre.

No single article is going to cover all of the different options and what is best practice for each equipment type and risk level. The key thing I hope everyone will take away from reading this is that disposals are important; they require a lot of thought as they are more complex than they first look, and if you are writing a tender for a desktop refresh, there should be more than just a couple of lines at the end of the document about it!

For further information, please feel free to contact me or come and see me at the 2016 IAITAM FALL ACE in Dublin, where I will be going into more detail on disposal policies and giving advice on choosing an ITAD provider to meet your needs.

¹Ponemon Institute – ‘2016 Cost of Data Breach Study: Global Analysis’

Please note that all views and opinions within this article are my own and do not represent those of RDC or Arrow.

About Andy Warner

Andy Warner is Head of Corporate Services for RDC, an Arrow Company