Zero-Trust at the definition level means that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. While Zero-Trust is becoming a widely adopted policy in terms of data security, even amongst smaller businesses, building out processes of Zero-Trust for asset management and destruction may seem out of place or perhaps even overdone. With employees accessing and using IT equipment from various locations outside of the network perimeter, it’s time for the idea of Zero-Trust to be applied to IT Asset Management and Destruction programs.
Most companies look at Zero-Trust in terms of internet use, email access, network access, and software systems within their organization, but Zero-Trust should apply to all areas of an organization’s information security and risk management programs. Since the adoption of the internet in business (for most, this began in the early 90s), companies have grown in their knowledge of access management and training of employees to protect their company (when it comes to data security). The roll-out of these policies started in organizations who, by nature, needed to be concerned about security (think healthcare and finance) and then were adopted by large companies, with smaller businesses finally bringing up the rear. If Asset Management was even a formal process in the early days, it consisted of simple policies like drilling holes into hard drives, donating equipment to charities, and restricting the use of personal equipment. Some companies banned work from home policies for security reasons, and other more adventurous employers provided equipment for home use.
Either way, employees were monitored, and equipment was handed in at the end of its lifecycle, even if the record-keeping left a lot to be desired. Tracking the serial numbers of hard drives, tying those serial numbers to machine serial numbers, and reconciling equipment inventories with purchase and lease records are all well-established best practices now. Covid-19 and the rush to allow users to work from anywhere, now means that organizations need to step up their processes and a Zero-Trust approach can reduce risk for all phases of the IT Asset Management lifecycle.
Employers began to experience new issues in managing their equipment with the growth of work from home and low contact situations. These issues were immediate and urgent, leaving little time to create, revise, or even enforce policies and procedures.
“Both small and large companies ran into situations where employees who never worked from home were asked to do so. The immediate need for this change sent them home ill-prepared to manage their equipment (and who touched it). Even being at home with family left them open to others potentially working (or playing) from their equipment. Unsuspecting employees didn’t see it as a threat, and companies began to lose track of who was doing what and who had what, ” stated CEO Angie Singer Keating. She goes on to share, “think about the idea of equipment at home; laptops, cell phones, printers, thumb drives, and other external storage devices. The idea of these lying around in homes and cars being used for both personal and business reasons gives the seasoned security manager nightmares. Yet it is happening.”
Here are a few examples:
Employee A is working from home and gives a two-week notice. Do you trust that there is no company-owned work or access to programs on home computers? Even if company computers were provided to Employee A, new research shows that during COVID, employee guards were down, and business happened on cell phones and other home computers – especially when the company-owned computer experienced a malfunction. The question is – do you and can you require that all computers owned by Employee A be wiped for company data? And if so, how do you ensure that it happens?
Employee B was never given a company computer but had been working from home. You are now allowing all employees to continue to work remotely. In the process, you are tightening up your IT Asset Management procedures. You discover in working with Employee B that she gave her old computer to her son for use at college. She had been using it for work. What do you do?
The above situations depict potential data security threats. Establishing Zero-Trust IT Asset Management with your employees means that while you may believe all your employees are well-intentioned, remote work means they have to pass through a detailed security process. If the employee doesn’t want to or can’t do it, they may not be the best candidate for remote work.
Finally, Zero-Trust in IT Asset Destruction means Zero-Trust with the employee and Zero-Trust with your ITAD vendor. As an ITAD vendor, we believe we should have to walk you through our processes. We believe that you should ask many questions and do your research. We believe there should be a level of insurance and a level of guarantees. You can not put Zero-Trust policies in place for your employees and select an ITAD vendor without ensuring they meet the requirements within your policies and procedures.
Zero-Trust policies within IT Asset Management and Destruction mean checking all boxes at the beginning of employment and rechecking them regularly. Donation programs, DIY data destruction, and poor documentation have no place in Zero-Trust programs. Full chain of custody, fully reconciled inventories with certificates of destruction, and expertise with all equipment types and form factors that may contain data are crucial requirements for any legitimate vendor to follow.
With employees, it means setting requirements upon hiring for the use of the equipment and checking on it regularly to ensure that no violations are occurring. It means training employees to understand that if they go outside of those policies (use a non-approved phone or computer) for company business, then the risk could be transferred to them. It means having a thorough IT Asset Destruction program, even when it seems cumbersome with employees working potentially all over a state. For example, when an employee quits, they are required to bring equipment to a specific location.
Remote workers should be trained to understand the concepts of control and custody. Leaving computers unlocked in the home is unacceptable. Traveling with a device and leaving it in a car is unacceptable. Policies and procedures that fully explain the do’s and don’t with equipment when it’s in an employee’s custody and control will go a long way in reducing the risk for lost and stolen devices.
You are the employer, and you get to outline those policies.
The idea and term Zero-Trust can hit some as unfavorable, but in the end, it’s meant to protect not just the company but the employees and the vendors who touch the equipment – whether working remotely or in-house. So, our rule of thumb is this… look at all access points and all equipment, and review your current policies. If something isn’t spelled out, revisit it.
Even adopt Zero-Trust for understanding your policies, don’t trust that something makes sense if you haven’t asked around. Just because you understand it doesn’t mean that Employee A does.
For more information, contact us today.