By Michael Vosnos
Global expenditures on information security in 2019 is expected to exceed $124 Billion, an increase of 12.4 percent over the previous year, according to Gartner an industry research firm. This is in response to an increasingly complex threat matrix, more numerous network entry points, and higher levels of sophistication among attackers. Given these massive investments in cyber security, it may seem understandable if some organizations develop a certain sense of self-assuredness in regards to their network integrity.
Yet there remains a soft underbelly to the overall cyber security picture and it is the one that is easiest to solve. End of use IT assets that are not properly decommissioned present significant data security risk in organizations. This is largely because most organizations do not understand the risk their end of use devices pose. First, many organizations fail to thoroughly track all of the devices. Dormant IT assets remain in storage or on a shelf for long periods of time until someone decides to do something with them. This task is often delegated to a more junior member of the IT staff and the cheapest, upfront option for disposal is selected. This can even include simply placing end of use assets in the dumpster.
Some organizations take at least some measure to remove or destroy their data, either through single or three pass wipes and/or hard drive drilling or crushing. While these efforts are better than nothing, they fall far short of proper IT Asset Disposition (ITAD) data sanitization methods. Forensic data recovery efforts have been successful in recovering data from pieces of hard drive the size of a quarter and hard drives that have been exposed to water or fire damage.
Organizations may choose to sell their end of use assets to a refurbisher. Again, if the downstream vendor does not properly sanitize the data on the devices, sensitive data can then find its way into the hands of nefarious actors. A recent study by Stellar of a sample of 311 devices revealed that seven out of ten of the used devices were vulnerable to a data breach. A Canadian computer retailer, Netlink Computer Inc. while filing for bankruptcy, simply abandoned hundreds of its IT assets which then appeared on Craigslist. It was later confirmed that the desktops, servers, laptops and hard drives contained 13TB of data and nearly 4 million database records. By working with a certified and reputable ITAD vendor, Netlink Computer could have readily and properly decommissioned these assets and sanitized the data they contained.
Again, compared to the cost of maintaining cyber security measures and personnel, the cost of proper decommissioning of end of use assets is minimal. Compared to the cost of a data breach and the resulting lawsuits and loss of customer confidence, the cost is infinitesimal. In 2011, healthcare provider, TRICARE was sued in eight separate privacy lawsuits after a backup tape was lost. The suits sought a combined $4.9 billion in damages. Even when courts rule in favor of the defendants in these cases, the legal costs of defense can easily run into the millions.
The good news is that remedy need not be cost intensive or time consuming. Organizations need to develop their own IT asset management plan which incorporates the retirement phase of the asset lifecycle, and implement it. Employees need to be educated as to the potential pitfalls of failing to properly handle their data bearing devices and buy in to the program. Finally, companies need to select a reputable and certified ITAD vendor who can assist them in the proper decommissioning of their end of use assets. A keen ITAD vendor will work with a company to defray the costs of the decommissioning while providing the necessary data security compliances and documentation. Again though it must be emphasized, any associated costs with proper decommissioning pales in comparison to the failure to sanitize or destroy sensitive data.