As organisations look to decommission, retire and deactivate legacy technology, they’re often overlooking key security protocols in their IT asset disposition process, putting their organisations at tremendous risk. Paul Flatt from Iron Mountain explains.
In the era of digital transformation, old IT and office equipment can pile up quickly as organisations migrate to new technologies to innovate, drive efficiencies and enable new ways of working. According to the World Economic Forum, today’s demand for electronic devices is creating the world’s fastest growing waste stream. In fact, figures from the Australian Bureau of Statistics show Australians are among the highest users of technology worldwide, with e-waste figures growing exponentially to 539,000 tonnes in the 2018-2019 period.
As organisations look to decommission, retire and deactivate legacy technology, they’re often overlooking key security protocols in their IT asset disposition (ITAD) process, putting their organisations at tremendous risk.
Consider this staggering statistic: the average cost of a data breach revealing a company’s sensitive or confidential information has risen to approximately $4 million. Beyond costs, a breach can also inflict significant collateral damage to the business, as a result of data theft, impaired company reputation or loss of valuable intellectual property.
With the frequency of data breaches in Australia continuing to rise, survey data shows 95% of Australia’s CEOs see cyber risks as a top threat to business growth, with 78 per cent increasing their long-term investments into cybersecurity measures.
So, it is no surprise that risk avoidance is a central theme for business and IT leaders today, especially in the disposal of retired or obsolete IT assets. While proper data management, governance and security protocols are essential at the start of a digital transformation project, many organisations fall short by neglecting these principles during the final stages.
To achieve security during the final stages, organisations must manage each IT asset through its complete life cycle. This lasts from procurement through retirement.
Companies often diligently use systems and processes to track equipment as part of their ongoing asset inventory, which is especially valuable during the first and second parts of the product lifecycle. But they’re often too focused on managing the data, hardware and systems that are still in operation as opposed to the hardware and systems that are being retired.
Too often this opens the door for major security vulnerabilities that can impact internal and external stakeholders from employees to customers.
So, what are the key security considerations organisations need to keep in mind when building an ITAD policy to keep critical assets and data safe even during retirement?
Start with a framework
Consider creating a clear and practical asset management plan that makes data removal from hardware devices a key priority. The first step is bringing together everyone who needs to be involved – from IT, legal, office management staff, to even C-level executives.
Ask questions like: what regulations does your company need to adhere to? On what assets does your critical data reside? Do you need to keep data for a certain amount of time before destroying it? Does the potential cost of a data breach as a result of not having a secure ITAD plan outweigh the cost of a thorough ITAD program?
While no one plan fits all, there are several components that organisations need to include in a well-crafted ITAD plan. This can include, data destruction, asset tracking, data security standards and regulation compliance.
Think and act outside of IT
ITAD isn’t just about IT. Take a big-picture approach to make sure your strategy is holistic.
By gathering all relevant stakeholders when developing a framework, you can ensure that your ITAD policy is all-encompassing. Without insight from multiple areas of the business, it’s easy to overlook key factors that could ultimately have negative repercussions for the whole company.
For example, many Australian companies are beginning to implement donation programs where they will donate old IT equipment in an effort to give back to their communities. This often exposes businesses to risk as their data isn’t properly destroyed before donation. Because the IT department may not be involved in these community-focused programs, it’s imperative to include different stakeholders in the ITAD development process.
Additionally, taking input from multiple stakeholders helps to encourage buy-in from their respective areas. This can facilitate easier adoption of the ITAD policy across the business, as each area feels ownership in developing the policy.
Incorporate regional differences
Similarly, it’s important to gather insights from different geographical regions where the company operates. However, these regional policies may conflict, making one comprehensive policy challenging to develop, especially true for large multinational organisations.
To remedy this, it may be practical to build one core policy that aligns with the main business strategy, and then recommend they make modifications according to geographical operations or divisions as necessary.
Address potential risks
While it is important to involve multiple stakeholders throughout the process to ensure all departments understand the purpose of an ITAD plan, it is equally important to make known the consequences should people fail to comply with the formal strategy. Particularly in Australia’s current business landscape, where data breaches are omnipresent and trust between consumers and companies are at an all-time low, employees that do not adhere to the policy should understand the ramifications if they don’t act accordingly.
In addition, any employee who becomes aware of a violation should be encouraged to report the issue in a timely manner.
As Australia’s threat landscape continues grow, with regulations becoming more complex and the number of devices explodes, having an ITAD policy will continue to increase in importance especially for companies going through long-term transformation plans.
For companies operating without one or for those who are disposing of IT assets without holistically considering these key essentials, the risks to the business are clear. It’s imperative to implement an ITAD policy now to protect the business, employees and customers from harm. In fact, it is irresponsible not to; the stakes are too high to discount the importance of security – even during the final retirement phase of data and IT.
Paul Flatt is the director, secure shred & ITAD, ANZ at Iron Mountain.