Security risks do not go away when you turn off the computer. Even if you think there is no sensitive data on a device or hard drive, are you willing to bet your business on that? To prevent severe financial, legal and reputational consequences, your business must protect your electronic devices when they come off the network.
Follow these tips to secure your business computer equipment and prepare it for disposal:
Implement an IT Disposal Plan:
When a device is decommissioned, it is important to clearly detail the management at every stage. All devices, including computers, cell phones, printers, fax machines, servers, USB storage and other backup storage devices should follow a clear disposal plan from the point of being unplugged through disposal. It is vital that employees are made aware of this policy to ensure they know what is expected of them. Identify who is responsible at each step to clear up any confusion and make sure equipment is clearly tracked between departments or hand-offs to prevent anything being lost, stolen or misplaced. Companies immediately lose chain of custody if one device goes missing, which could result in a public security breach or TV special about improper environmental disposal. A formal IT Disposal and Tracking Plan in your Security Policy will help you keep track of all corporate devices when they come offline.
Eliminate Access & Secure Equipment:
Even if a computer is broken, the data is still recoverable. To protect that data, it is crucial to eliminate access immediately and keep systems secure until disposal to prevent any employees from walking off with a device, either by accident, malicious intent, or innocently thinking it's not a big deal. Identify a secure area with limited access where all devices are stored immediately after they are taken offline.
Keep an Inventory:
To ensure no electronic device is lost before disposal, create a "chain of custody" inventory to eliminate any guessing games of where the equipment is. Track the physical location by date and person responsible for each step. For best practices, this should be part of an overall inventory for systems on the network as well to have transparency through the entire lifecycle, ensuring no device is overlooked.
Destroy the Data:
There are a few methods companies can use when destroying data, but if it is not done correctly, it can lead to a data breach. For example, if a hard drive is reformatted or repartitioned to "erase" data using software that cannot access all of the information, traces of encrypted data will remain. Physically destroying the device helps make the data more difficult to recover, but simply hammering or drilling a hard drive or solid state drive is not 100% effective. Unless a drive is shredded down to fragments too small to recover data from, forensics software can still retrieve information. Data should be destroyed in compliance with the current industry recognized destruction standard, the NIST 800-88r1 Guidelines for Media Sanitization.
Some companies choose to have their own employees complete the data destruction before devices leave their possession. Others choose to use a third party contractor specialized in on-site destruction to avoid time-consuming data wiping or labor intensive (and often noneffective) drilling, crushing or hammering. When it comes to data destruction, steps must not be missed and it must be done correctly. If your policy is so stringent that an outside company cannot be used, you should have a team within your organization that is specialized in the same skills and has access to the same equipment as an outside specialized vendor.
Dispose of the Equipment:
Before disposing of your business computers, be aware state or local legislation regarding how to properly handle the equipment. For example, in Sioux Falls, South Dakota, the city does not allow any business to landfill electronics. You should also be weary of anyone offering free recycling or will pay you to take it off your hands. Often times, brokers who offer money for all of your old equipment are not properly handling the equipment on the disposal side. They may strip out all of the valuable materials to make some fast cash, dumping any devices or parts that can't be resold. This is a problem.
As the original owner of the electronic devices, you are responsible for where it ends up. Using a certified IT Asset Disposal (ITAD) company is the best choice you can make for your company. When choosing an ITAD company, look for e-Stewards or R2 certifications, and consider conducting a site assessment. You should also draw up a contract with your chosen ITAD vendor and include a guarantee that they will dispose of all data securely and all equipment properly.
Keeping records of the decommissioning process is important to verify complete data destruction and proper recycling if you are ever challenged in an audit. Details should include categories, weights, counts and serial numbers or asset tags of equipment that has been processed, as well as the final disposition by date. A formal certificate of destruction and recycling is a standard report offered by ITAD companies to help you cover your bases. Additional reporting may be helpful to meet other inventory needs or corporate sustainability requirements.
Finally, Don't Wait!
Once your computer equipment is unplugged, the clock is ticking. Make it a priority to get the decommissioning process finished to ensure data security is not compromised and to make sure you don't lose out on resale potential, as the value of technology quickly decreases the longer you sit on a device. If you have old equipment still running that needs to be upgraded, this is also a cause for concern. Older systems on your network are more vulnerable to malware or other issues that can end up costing you in the end.
If your business is looking for help with your IT Asset Disposal planning or equipment refresh project, contact SEAM located in Sioux Falls, South Dakota. As the only R2 certified and e-Stewards certified electronics recycler and reseller in the region, we serve customers in South Dakota, Nebraska, Iowa and beyond. Contact us for a free IT decommissioning quote today!