In the wake of recent news about cyber crimes against the government and data breaches in the retail industry, data security has become a major issue that is top of mind for consumers and enterprises today.
According to the U.S. Department of Energy, some 3 million data centers operate in the United States presently, and in 2014 Gartner predicted that the “Internet of Things” would increase 30-fold from by 2020.
Companies are constantly replacing their IT (information technology) equipment with the latest and greatest in data technology; however, they face an even greater challenge when it comes to disposing of said IT equipment. It’s crucial that all sensitive data be securely removed before a company recycles, reuses or resells IT assets.
Despite the rapid rate of technology innovation and the overwhelming amount of tech-enabled devices in our world today, unfortunately, the right parameters are not always in place to protect data on these devices.
Most companies claim to wipe all of their customers’ important data before decommission, yet more than 50 percent of the “wiped” equipment still has sensitive data on it, leading to a potential data breach, identity theft or regulatory compliance failure, according to research by my company, Apto Solutions.
Although it’s not intentional, incompetence and ignorance ultimately can play roles in the disposal of IT assets that still contain sensitive information. The size of the organization and its ability to train and make its associates aware of the seriousness of data erasure also play parts in the process.
These days, criminals have access to more outlets than they did a decade ago, giving them a larger network through which to benefit monetarily from stolen data. Cyber criminals use the Internet to launder money or to sell sensitive information. It’s important to remember that proper data sanitization goes far beyond pressing “delete”—companies need to use data erasure software to completely sanitize their IT assets.
To properly wipe IT equipment, it’s important for companies to have a detailed understanding of the variety of ways data can be stored on modern devices. Of course, hard drives and other storage media are typical devices that need to be sanitized, but people often overlook the data living within devices such as printers, network switches and network routers. Mistakes like this are common for companies across the board when they lack experience implementing data erasure software. Companies that forgo doing a verify pass or spot audit can miss important data still living on the equipment they are disposing.
It’s also crucial to remember postsanitation aspects, such as reporting and back-end integration.
Keep these five best practices in mind when choosing and using data erasure software and when advising your clients:
- Make sure the software is accredited. The first step to proper data sanitization is to find a reliable, accredited data erasure software vendor. Finding a certified vendor is more important than focusing on the software alone, especially if the operation has a high volume of assets requiring data sanitization. After equipment has been decommissioned, a tool that has been independently certified to thoroughly sanitize data with multiple passes and random bits should be used to wipe the data. (At Apto Solutions, our data erasure software, NetSwiper, is accredited by Hartford, Connecticut-based Open Sky, a TUV Rhineland Co., which helps provide large-scale concurrent sanitization in existing machines.)
The software should be thoroughly evaluated and certified against an industry-accepted standard (e.g., NIST, National Institute of Standards and Technology) and by an internationally recognized certification body (e.g., ISO, TUV, etc.)
It’s also important to make sure that personnel have been trained and vetted to remove critical data. The consistent execution of vetted processes will add an extra layer of protection, allowing data erasure software to more effectively prevent critical data from falling through the cracks.
- Verify the software conforms to data wiping standards. Companies need to be aware of the data wiping requirements that are established where they are located, whether they’re under HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), the EU Database Protection Directive or in one of the 32 U.S. states with data destruction laws.
A multitude of government and industry standards are in place for data erasure or overwriting. The Department of Defense (DOD) has released its own specification for secure deletion called DOD 5220.22-M. This spec requires three passes: zeros, ones and random data, respectively. NIST also released its own overwriting standard called NIST SP 800-88. When choosing a data erasure software, companies should make sure that it meets these standards to properly sanitize data and avoid legal consequences.
- Assess the type of equipment needed to sanitize. Historically, data erasure solutions have focused on traditional storage media, such as hard drives. Data devices outside of PC and server magnetic hard drives, such as copiers, networking equipment or hand-held devices with flash memory, often receive less scrutiny. In today’s world, other devices like tablets, smartphones, networking gear and even printers must be accounted for. Each of these devices requires a unique, specialized solution. The solution should apply the same rigorous DOD 5220.22-M, NIST SP 800-88 or an equivalent standard to all data storage media.
- Ensure the software offers detailed, serialized reporting. The most important piece of the data erasure process is the verification and possible certification that an asset has been properly sanitized. Without proof of destruction, there is no peace of mind or risk mitigation when it comes to preventing data breaches. Off-the-shelf sanitization software may provide a company with verification but not with an actual certification. That’s where ITAD (IT asset disposition) vendors come into play. A good ITAD vendor has the ability to scale data sanitization operations to handle thousands of assets simultaneously and can provide peace of mind in the form of an official certification that the assets were properly sanitized.
- Choose software that can recover IT asset value for remarketing. After making the decision to decommission IT equipment, companies may want to figure out how much those assets are actually worth. The value of the equipment that new technology replaces could reduce the bill and ease the transition process, but that’s only if the right buyers can be found at the right time. Making a spreadsheet of available equipment and sending it out to the usual suspects just won’t cut it if the goal is extracting the most value from decommissioned IT equipment. Companies will want to research and be aware of the true market value or work with a provider that does.
It’s important to note that not all equipment is worth reselling; knowing when to recycle instead of to resell and how to recycle in accordance with regulations could save a company a lot of wasted time, effort and legal trouble.
When to destroy and when to recycle?
Decommissioning doesn’t have to be the answer to getting rid of old IT assets. Companies should consider when it makes more sense to reuse or resell their assets rather than recycle them. If the value of a certain asset is low, or it has been eclipsed by newer technologies, it more than likely makes sense to recycle it rather than go through data sanitation to repurpose it internally.
On the other hand, if the older assets have sufficient value, value recovery through the data sanitization and remarketing processes is a better, more sensible option. The proceeds earned through value recovery (selling those used assets on the aftermarket) can help offset the costs of other internal IT initiatives.
Finally, companies should consider their internal policies. Some companies prefer the social value gained from disposing of IT assets in a green, eco-friendly manner over earning a bit of extra recycling revenue. For others, the recycling revenue is not as valuable; certifiable physical destruction of assets is more important and is worth the trade-off.
Whichever trade-offs your clients decide to make, be sure to encourage them to take an extra look at their end-of-life processes. What they don’t know yet might hurt them.
James Kilkelly is CEO and founder of Atlanta-based Apto Solutions and Telephone.com. He has held positions with Fortune 500 companies, such as NCR. For more information, visit www.aptosolutions.com or contact firstname.lastname@example.org.