MITIGATING RISK IN ASSET DISPOSITION AND RECYCLING
Look anywhere, and you'll see thousands of articles and guides about preventing attacks and protecting the assets in your existing network But what about the risks when these ATMs and IT assets are retired and leave your organization?
Regardless of its function, most devices manage data in some way, whether on a hard drive, flash drive, or memory card. While this is not a new concept to consider, the security for this device and dataset is often overlooked when it comes to the asset's disposal.
In fact, a report from Deloitte found 33 percent of IT executives admitted having little or no formal IT governance policies in place for the retirement of their assets. And another study, conducted by PwC in 2017 found only 53% of companies had a complete and proactive system (and data) management plan.
While many data breaches occur while these devices are in operation, there are multiple steps throughout the e-recycling process where, without adequate security protocols in place, these assets and their data can be at higher levels of risks.
Below are some common misconceptions and process gaps to be aware of to help secure your assets and their important information.
DECOMMISSIONED ELECTRONICS IN TRANSIT ARE MOST VULNERABLE
According to Tellerex President, James Kilkelly, "Electronics recyclers today have to consider the secure transportation of equipment to their facility, and then how to maintain this security once it arrives and is prepared for further processing".
A WARNING ABOUT DATA SANITIZATION CLAIMS
Despite the fact the terms are mistakenly used interchangeably, data sanitization does not mean formatting! Data sanitization is not the same process used to overwrite information on a hard drive.
The only way to ensure complete data sanitization is to completely remove sensitive data from IT assets before their destruction or resale. Unfortunately, the physical destruction of a hard drive, by either degaussing or shredding, is not infallible. With destruction, small portions of the hard drive may be left intact, and data recovery can still occur.
IN SOME CASES, DATA CAN BE RETRIEVED FROM SHREDDED HARD DRIVES
Believe it or not, if somebody wants to retrieve data from a shredded hard drive, they can attempt to rebuild the drive from the shredded pieces. While their success is unlikely, it is still possible with enough patience and the right set of tools.
For this reason, extra consideration should be taken when evaluating data destruction and IT asset disposal services. Steps for data destruction might include:
Erasing data (via degaussing) before the hard drive is shredded,
Witnessing the data removal and destruction processes, or
Reviewing security standards implemented and maintained by your recycler or data destruction partner.
Degaussing is an option for HDD devices, but only through the utilization of a high-quality degausser. If a company chooses this method, the organization must ensure that data sanitization is managed and adequately audited with a fully secure and visible chain of custody.
SELECTING THE WRONG ASSET DISPOSITION AND RECYCLING PARTNER
Far too often, many organizations will 'check the box' when they hear a potential IT Asset Disposition Partner (ITAD) say they 'wipe' the data. Simply put, it's not enough to "wipe" the hard drive of a PC, laptop, ATM, or other IT assets. Full and secure data sanitization is critical to prevent security breaches and data leaks.
ITADs and recyclers who build and maintain robust security policies to safeguard sensitive data will set themselves apart from their competitors. Providing certification of secure erasure proves to customers that they can trust this process (and their ITAD partner) and that wherever aged-equipment ultimately ends up – destroyed, recycled, or reused – sensitive data will not be compromised or sold on the black market.
NOT FOLLOWING A ROBUST (AND AUDITABLE) PROCESS
When working with a legitimate recycler, there should be an auditable procedure in place to dismantle devices, separate their components (including removal of any hazardous waste), and shred the materials into different materials.
Once shredded, the material should be separated again, with commodities of value sent to downstream recyclers and refineries for reuse. These refined commodities are then usually made into new products by manufacturers.
There have been occurrences, however, in which these steps have not been taken, and devices end up dumped in developing countries. When this happens, it not only becomes an environmental disaster, but leaves you at risk of data exposure and a PR nightmare
FIND THE RIGHT E-WASTE RECYCLING PARTNER
The best media and IT asset disposition programs should go beyond the simple destruction of devices that are no longer needed. These processes should also address, and go to great lengths to mitigate, the impact on the environment.
It's essential to work with an IT asset disposition partner who makes security and the environment top priorities. Be sure to ask potential providers the following about their environmental practices:
Will you destroy the data on our assets before recycling?
Can you de-manufacture our e-waste into parts and properly recycle these pieces?
Are you able to confirm that the e-waste will never be exported, incinerated, or sent to a landfill?
Do the same security and chain-of-custody measures employed during the IT asset destruction process extend to e-waste recycling?
Does your recycling program comply with the e-Stewards or other industry-leading standards?
Asset disposition and recycling is often viewed from an environmental perspective as preserving resources and minimizing waste, but these services can provide much more value than that.
But the risks associated with these processes should be taken seriously, and consideration is given to all aspects of security to ensure your company's data, brand, and liability remains protected.
If you'd like to learn more, subscribe to our blog or check out our Deep Dive Series on Asset Security and Risk Mitigation. We’ll keep these sources regularly updated with tips and information to help you get the most out of your ATMs.
Want to stay up-to-date? Complete the form below to subscribe to our mailing list and have our latest thinking delivered right to your mailbox every week.
Tellerex is committed to leveraging our knowledge and experience to reduce ATM expenses and accelerate their contribution to your bottom line. To learn more about our solutions, contact us by e-mail or visit us online.