Data security + IT asset disposition: Avoiding a costly breach

Last year, the average total cost of a data breach was $3.62 million – or $141 per lost or stolen record, according to Ponemon Institute. Many companies often focus their concern on potential fines. However, the largest financial impact comes from the cost of cleaning up after a data breach and the loss of customer confidence that results in reduced revenue. 

IDC forecasts that the global datasphere will grow ten-fold to 163 zettabytes (or a trillion gigabytes) by 2025. Our use of storage is growing exponentially, and with it, so are the risks and potential financial losses.

Data security is always among the highest priorities for any company. However, what happens to technology assets at the end of its life is rarely at the top of the list. Often customers’ specifications for large-scale refresh projects contain literally hundreds of pages of requirements around new equipment and then, at the very end, a single statement saying, “All legacy equipment being replaced must be disposed of in a secure and environmentally friendly manner.” At the other end of the scale are companies obsessed with data security that have very strict IT asset disposition (ITAD) policies. They demand services where the security level is appropriate for the handling of highly sensitive government data when, in reality, the data could at worst disclose information readily available on the internet.

There’s much to consider. Should data be destroyed at your own site, or is it OK to do it at the ITAD provider’s site? If you are shipping equipment, what level of logistics services do you need? Three considerations include:

• Do you require asset scanning to enable full asset tracking?
• Do you need to vet logistics staff?
• Should vehicles be dedicated or shared?

Then there’s the question of which data destruction method to use. Various data destruction methods have varying levels of security and cost. Options include:

• A single-pass or multiple-pass data wipe: drives can be reused and provide a residual value return
• Degaussing: no ability to resell the drive and no visual indicator that it has worked, but a cheaper alternative to shredding when performed at customer sites
• Crushing/drilling/pinning: low-cost options that show physical evidence that they have been performed. However, these methods destroy the residual value of the unit and the data is still present on the platters despite their not being able to spin up
• On-site shredding: the most secure form of data destruction, but it is expensive and destroys any residual value

What’s important to understand is that one size does not fit all when it comes to IT disposal. What suits one company may not suit another, and there is a good chance that different business units within the same company will have different needs.

Some say that physically destroying hard drives at your own site is always the best option. For very highly sensitive data, it may be. But this isn’t always the case. On-site shredding guarantees security only if you watch every single hard drive go into the shredder yourself. And there are other pitfalls.

Since it can be expensive to shred hard drives at customer sites, companies often stockpile large numbers of drives to be shredded at once to cut cost. However, the longer you keep data around, the more chance there is of something getting lost or someone stealing it. It’s likely safer to choose an alternative data destruction method if it reduces the time the data remains on the drives.

The key to getting disposal right is to engage with the right people within your organization and externally. Your security team will always want the most secure option; your procurement team will always want the cheapest option that can generate the maximum residual value returns; your project management/service management team will want the most practical solution to deliver the most seamless end-user experience possible; and your external suppliers will have their own agenda and profit margins to worry about. The hardest part is balancing the different needs.

Learn more about how to protect your data and brand reputation throughout the full technology lifecycle. Start here >