Companies spend significant resources choosing the right information technology (IT) equipment to invest in — and securing devices throughout their useful lives with firewalls, passwords, encryption, antivirus software and dedicated staff. But security sometimes falls by the wayside when assets are retired. Ongoing attention to security is a priority, because IT equipment typically houses a company’s most valuable intellectual property.
Just because data appears to have been deleted from a device’s hard drive doesn’t mean it’s gone. Some data may be recoverable — even if you smash a device with a sledgehammer — and recovered data can come back to haunt you if it winds up in the wrong hands.
For example, Company A, a fictitious manufacturer, returned two copiers to its equipment leasing company. Neither party erased the devices’ internal hard drives, which stored everything that Company A had copied or scanned over the term of its lease. When the leasing company subsequently sold the copiers to a competitor, the buyer also obtained Company A’s financial data, customer lists and employee records.
Security incidents also can arise when a company resells, recycles or donates its old IT equipment without properly erasing the hard drives. In other breaches, thieves steal assets from dumpsters or unlocked storage sites before management wipes the hard drives. The result? Large volumes of confidential data are left unprotected and vulnerable to theft and fraud.
Bulletproof disposal protocols
Asset-intensive companies need formal companywide IT disposal policies to ensure reliable data destruction. Here’s some guidance to consider when drafting an IT disposal policy:
Rewrite multiple times. Companies can’t just delete data once, because it can still be reconstructed from the device by an IT professional. Many Fortune 500 companies and the federal government follow the Department of Defense protocol, which requires data to be rewritten at least three times.
Consider outsourcing. Companies often turn to outside disposal vendors to ensure safe disposal and factor disposal fees into the total cost of equipment ownership. Equipment retailers, manufacturers and leasing companies also may provide these services upon request.
If you decide to outsource disposal, choose your vendors wisely. The cheapest vendor might skip steps, such as performing background checks on employees and their subcontractors, offering risk indemnification, tracking assets during the disposal process and ensuring that assets are disposed of in an environmentally responsible manner.
Act quickly. Dispose of outdated equipment as soon as you upgrade. Doing so reduces the risk of theft and increases the price you’ll receive at resale.
As IT assets near the ends of their life spans, consider whether the devices can be repurposed. Sometimes equipment can be reused internally to temporarily save the cost and hassle of secure disposal.
Owners of manufacturing and distribution companies are often so focused on the here and now that planning for future catastrophes may fall through…