Michael Rostad, information technology director at Sims Recycling Solutions (SRS) Global, explores six ways to ensure data security when decommissioning your facility.
Globally we are producing more data than ever with no signs of slowing down. As data storage continues to grow so do data threats. Data threats can come from an insider, an outsider, a personal item, a cyber-attack or potentially from a physical device, making them difficult to control.
In the past 12 months, 46% of all UK businesses identified at least one cyber breach and the International Data Corporation (IDC) predicts a quarter of the global population will be affected by a data breach by 2020. But why care so much about data threats? Those who have suffered a data breach or cyber-attack have experienced the following:
Severe costs: Data breaches have cost the global industry more than $400 billion (£307 billion) annually. Costs may include loss of business, fines and penalties such as those that fall under the General Data Protection Regulation (GDPR). GDPR penalties can reach a maximum of €20 million (about £17 million) or four percent of global annual turnover, whichever is greater.
Loss of client trust: Especially if sensitive data is involved, data breaches may leave current and prospective clients feeling less confident in the security of the information being stored.
Where to start?
Keeping track of IT assets with some sort of IT asset inventory list is a great place to start. Ponemon Institute surveyed a group of risk professionals regarding their awareness of the physical devices in their environment that were connected to the internet. Results showed only 9%of survey respondents to be fully aware.
An IT asset inventory list can help data centre managers understand the use, disuse, connectivity and specifics of all assets. It is also recommended to consider various data scenarios to establish the appropriate level of protection. In general, it is good to understand:
- If the equipment contains data
- If that data is encrypted or protected by passwords.
When it comes time to remove these assets from their live environment, this list will help support a system to track which items are in need of data destruction. At that point, it is smart to follow these six practices to ensure a secure data centre decommissioning programme.
Don’t let items sit in storage
When removed from the live environment, physical security of retired data centre assets is often overlooked. Once replaced, items may end up being stored for a certain period of time. Stored data bearing assets can present risks and have the potential of being lost or stolen. This is where that inventory report can come into play and is important for tracking assets, even those sitting in storage.
Note: Stored items that are not assessed for resale opportunities will only lose value over time, which makes it harder for businesses to maximise the value of their devices.
Understand data destruction methods for different devices
Data centre managers need to be confident that all data is removed on retired IT assets. Some devices can only undergo certain procedures for data destruction to be successful. Here is a breakdown of the data destruction options for each device:
- Magnetic Drives: These drives can be either erased, degaussed, or physically destroyed via crushing or shredding.
- Solid State Drives (SSDs):These drives can be either erased or physically destroyed via shredding. Degaussing is ineffective for destroying data on solid state drives. Crushing methods used for magnetic drives are insufficient for solid state drives due to the need to ensure all chips within the SSD are destroyed.
- Tapes: These can be either degaussed or shredded.
Any data destruction services should be compliant with the HMG IA Standard No. 5 (and/or with NIST 80-888 r1). All services should be controlled with formalised Standard Operating Procedures (SOPs) and offer systematic handling of drives. This will ensure all hard drives are 100% overwritten, and that no hard drive is skipped in the process.
Consider where data destruction will take place
When decommissioning data bearing IT assets, a defined plan should be in place for how data will be managed and destroyed. Sometimes companies choose to destroy data while storage media are still in their custody. These on-site erasure and shredding services decrease the need for secure transport to an IT asset disposal facility and eliminate the risk associated with transporting data bearing assets.
If data bearing assets are transported to an IT asset disposal facility, it is common to use dedicated vehicles, security seals and GPS trackers. Once items arrive at an IT asset disposal facility, storage media can be wiped of data and assessed for reuse, and/or destroyed using a high-capacity hard drive shredder.
The entire hard drive is shredded into small pieces, making it impossible to reconstruct the media or data. Alternatively, the hard drives may be erased using commercial software. Erasing hard drives allows for safe reuse and can yield higher financial return.
Review security features
In September 2018, CargoNet recorded a 16%increase in electronics thefts, including two million-dollar cargo thefts of computers. Vehicle security should always be considered when transporting data bearing equipment. Some features might include vehicles that can be fitted with alarms and immobiliser systems. Vehicle crews should be able to have contact with control rooms at all times.
Enhanced security options to consider might also include:
- Point-to-point logistics
- Split loads across more than one vehicle
- Vehicles with CCTV recording on board
- Vehicles with slam locks that can only be controlled remotely
- Geo-fenced routes that if deviated from will cause an alert to the control room
- Sealed vehicles
- Back up vehicles in case of accident or breakdown
- GPS vehicle tracking
While it is important to ensure secure transportation of IT assets, it doesn’t just end there. Facility security at the IT asset disposal facility is also important. The security of the building should include features such as restricted access, 24/7 surveillance, on-site guards and metal detectors.
Understand the resale process
Most equipment will still hold some resale value, so refurbishing and remarketing services can be a great way to maximise your return-on-investment. At a time when the economic life of a device is ending, ITAD companies can help add market value to a device that has a book value of zero. This revenue could then become a budget to help fund more sustainable goals.
When reviewing an IT asset disposal company’s reuse process, understand how these items are resold, and if possible, visit the site to see the process in person. Often knowing and understanding the process, infrastructure and the extent of the vendor’s buyer network, will allow you to differentiate between different standards of operators.
Ensure responsible recycling
IT assets that are beyond economical repair (BER) should be recycled. Ensuring this final phase is performed responsibly and ethically is important as some recyclers have been caught cutting corners when recycling electronics. Illegal disposal of hazardous wastes and dumping e-waste into parts of the developing world continue to be problematic.
Choosing an industry-certified recycler is important to ensure your equipment is responsibly recycled, protect your company’s brand, ensure data security, and comply with regulatory requirements.
Image credit: Bryan Mills