Hard drives are found in desktop computers, mobile devices, printers, and consumer electronics (camera systems, TVs, PlayStations, home entertainment systems, and other IoT products).
If your remote or extended workforce communicates for work using any of the above, your IT Asset Destruction Protocol needs to include enhanced hard drive destruction rules. Perhaps surprisingly to most, a study published in 2020 shows that 3 in 5 second hand hard drives still contain previous owner’s data. As a result, companies and remote employees are inundated with growing solutions and do-it-yourself data destruction. Morgan Stanley became the poster child for data destruction lesson-learning when they used a data wiping vendor who failed to destroy their data correctly. That data ended up in the hands of consumers, resulting in a $60 million fine.
To make hard drive destruction even more concerning is the fact that in tests of secondhand hard drives, the drives were indeed wiped of data, but not permanently, meaning the data could be recovered.
All employees can unintentionally disregard guidelines on how their equipment should be managed and destroyed appropriately and effectively, and working remotely can make it even less “top of mind.”
Here are some key points companies of all sizes should consider:
- While hard drive destruction is critically important, don’t forget that many devices today contain data on chips, not hard drives. Make sure your ITAM policies and procedures include things like USB drives, solid state hard drives, hybrid hard drives, and network infrastructure. Most importantly, make sure your destruction vendor has the expertise and technology to recognize these high-risk devices and will process them properly.
- Have quarterly meetings to remind employees to keep an open line of communication with the IT department and not be afraid to share situations that IT may need to be aware (of). Example: An employee was using their spouse’s computer because they had deadlines to meet and their computer wasn’t working correctly. That (spouses) computer should now be listed on devices to be managed by the company. Research shows that employees aren’t always honest about these things for fear of getting in trouble by leadership.
- Look for IT Asset Destruction Vendors who are capable of managing remote and hybrid workplaces. This means they either do not outsource OR have a solid process they can walk you through, giving you the confidence that they know who, how, and when data is being destroyed.
- Look for IT Asset Destruction Vendors who are actively engaged in organizations like i-SIGMA. i-SIGMA is the watchdog association for secure data destruction operators and records managers worldwide. Their NAID AAA Certification means facilities are independently audited for regulatory compliance, industry standards, and proper information governance.
- Look for IT Asset Destruction Vendors who have Downstream Data Coverage underwritten by Lloyd’s of London. This coverage is only available to i-SIGMA members who have NAID AAA Certification. No other professional liability insurance covers the unique risks associated with destruction services.
- Remember that in data destruction, you get what you pay for. Saving a few hundred dollars for a necessary service could cost you hundreds of thousands (if not millions) in the case of a data breach. Skilled technicians, industry certifications, insurance coverage, and best in class technology cost service providers money. Any vendor offering “free” or very low cost destruction services could be cutting corners in ways that are likely to increase the risk of a catastrophic security incident.
Data has become our most valuable commodity. Workplace data in particular – employee information, customer data, transactions, financials – is most sensitive and can cause extreme harm if not adequately protected and destroyed when required. The level of trust, professionalism, and customer service a data destruction vendor provides can quite literally affect an organization’s future.
The good news is that data destruction companies are willing to partner with you. But you must be ready to put the time in to find the right partner. That means putting together a vetting process and not shortcutting your decision-making. Lastly, create knowledgeable employees as they are typically more compliant employees. Make sure they fully understand the consequences to the business if a data breach were to take place.
To learn more about vetting your ITAM vendors, check out our Vendor Due Diligence checklist.