How to Ensure Data on Obsolete Hardware Is Destroyed
WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Disposing of sensitive data is a complicated business, and an expert in IT Asset Disposition (ITAD) reveals the best way to part ways with obsolete components.
Information is power, but improperly sanitizing obsolete hard drives, storage media, routers and other components is akin to essentially handing over information to cyber-criminals. The IT Asset Disposition (ITAD) industry has made data wiping and—when necessary—crushing components its core function, along with responsibly recycling hardware. ITAD requires a detailed understanding of the ways bits are stored—and it requires specific processes to sanitize the data.
James Kilkelly, an ITAD and security expert (and CEO of Apto Solutions), has seen his share of information that would keep a CIO up at night. Kilkelly shares with CIO Insight how the ITAD process works, who is essentially responsible for wiping data and the impact improperly recycled technology has on the environment.
CIO Insight: Disposing of sensitive data is slightly more complicated than simply running paper documents through a shredder. How involved is it to wipe IT equipment of sensitive data?
James Kilkelly: Wiping IT equipment requires a detailed understanding of the different ways that bits can be stored on modern devices. While hard drives and other storage media get most of the attention, people often overlook devices like printers, network switches and network routers. You need to know how and where the bits are stored and how to effectively erase them. You also have to know what is worth wiping and what makes more sense to destroy by another method such as crushing.
CIO Insight: Is it incompetence, ignorance or apathy that’s behind how some companies neglect to completely erase equipment destined for recycling or the resale market?
Kilkelly: It is a combination of all three and I believe it is based on the size of the organization and their ability to train and make their associates aware of the seriousness. 10-15 years ago criminals did not have outlets to take the data they stole and capitalize on it monetarily. Today the Internet can be used for basically laundering money or selling sensitive information.
CIO Insight: Who is ultimately responsible for ensuring sensitive data is wiped – frontline IT workers, CIOs or whomever takes possession of IT equipment once it’s outlived its usefulness?
Kilkelly: Typically the transfer of data security responsibilities happens as soon as the device(s) leave the original owner’s property (whether on a 3PL truck or Apto truck, etc.), and stays under the control of the ITAD company until such time that the device has been sanitized or destroyed.
Prior to this, it's mostly frontline IT workers (IT specialists or admins) that own the equipment and occasionally perform data wipes, if they have that capability. Legally, the owning company is responsible for ensuring the appropriate destruction of data, so the responsibility falls on the shoulders of the CIO. This is why picking a trustworthy and competent ITAD partner is so important. If your partner missed something, that can come back to haunt you.
CIO Insight: Walk me through the process of IT Asset Disposition. A 1,000 seat company decides to incrementally replace their desktop workstations. The hallways of this company begin to resemble the Island of Misfit Toys, as bins of outdated and unwanted hardware and equipment await their fate. What happens from there, and how do companies such as Apto Solutions come into the picture?
Kilkelly: Depending on their needs, many companies will go to a site such as Sustainable Electronics Recycling International (SERI) to find a company like Apto Solutions that is R2:2013 certified and that can provide them with data sanitization, remarketing and/or recycling services for their EOL equipment. A request is then received by our company to assist in the removal of the equipment. We will procure a list of assets, site details, time lines, etc., and depending on the situation or company will schedule a site visit. After this preliminary work is completed, we will determine the best route to get their equipment from their facility to ours (third-party logistics, labor, Apto badges, Apto truck). Once the assets arrive at one of our facilities, the real magic happens. The equipment is broken down, sorted and sent on to downstream recycling partners or resold depending on the market and joint value recovery goals.
CIO Insight: Can you give an example of data you’ve found that would keep a CIO or CEO up at night?
Kilkelly: Any leaked information has the potential to introduce legal liabilities. Credit card numbers, user passwords and customer information tend to get most of the headlines, but other data such as internal network configurations and system configuration information can also introduce risk.
While the confidentiality of our customers is of the utmost importance to us, suffice it to say, that throughout our 12+ years in operation serving some of the largest companies on the planet, we’ve seen just about everything.
CIO Insight: Do you alert companies when it becomes clear that their process for wiping data is ineffective?
Kilkelly: Yes. We consider it a professional courtesy. We’ve even notified our competitors when it is in the best interest of our customers. In a sense, it is somewhat like the open-source software community—all boats rise with the rising tide. When it comes to ensuring proper data sanitization, we all benefit by improving the processes and tools involved.
CIO Insight: IT equipment contains hazardous components and elements – parts you don’t want sitting in a landfill or working their way into water supplies. As more of the world benefits from the positives of technology, is there an equal concern over tech’s environmental impact?
Kilkelly: Absolutely. E-waste is the fastest growing waste stream in the world and if people aren’t aware of all the heavy metals and toxic components in electronics, then they can unknowingly put entire populations at risk for exposure. It can also happen through their attempt at being environmentally conscious and sending to a company with skewed priorities who will sell non-functioning equipment to countries where they don’t have the means or technology to safely handle what they’ve received. You've probably seen images of Ghana and parts of China in the papers where children are standing over open fires with circuit boards. It's horrific, and we all need to do our part to make sure that this equipment is safely and responsibly recycled or—better yet—reused.
Patrick K. Burke is senior editor of CIO Insight.