Hardware disposal a blind spot for data security

Most companies assume that when they get rid of old IT equipment, it’s destroyed. But in fact, there is a very active global marketplace for used IT equipment and it’s often sold, which puts the data on these devices and the organisations which previously owned them at risk.
4 August 2021 by Jean Boyd

Most companies assume that when they get rid of old IT equipment, it’s destroyed.

But in fact, there is a very active global marketplace for used IT equipment and it’s often sold, which puts the data on these devices and the organisations which previously owned them at risk.

“It’s very much an overlooked area and it’s very open to the potential for data breaches,” says Shane Mulholland, founder and executive director of Greenbox, which disposes of end-of-use IT equipment.

The biggest problem organisations have when they dispose of IT hardware – anything from a computer, printer, networking equipment, and phones and tablets – is that all of this equipment has residual data or configuration information on them. For instance, printers often have hard drives which contains the information the user has printed, some of which could represent a security threat.

It represents a huge gap in many organisations’ IT security strategies.

“A lot of organisations are spending a lot of time, a lot of focus on protecting their on-network devices, protecting their networks from intrusion but they actually have very little in place to manage the end-of-use equipment,” Mulholland says.

Additionally, government and enterprise users are unlikely to be aware that a data breach has occurred once they have decommissioned a piece of equipment.

It’s because of this that end-of-use equipment is such a blind spot for so many organisations. Companies and governments like to deal with known and quantifiable risks and because information about off-network breaches is so limited, these risks tend to be overlooked.

“We see from many customers, even very sophisticated customers, that they rarely have policy in place as to how end-of-use equipment should be managed,” Mulholland says. “They will have environmental and data security policy but it’s often not specific in terms of end-of-use, and that is quite problematic.”

Additionally, the disposal of equipment doesn’t usually attract the attention of senior managers and is usually left to more junior staff.

It’s a risk because of what Mulholland describes as a very active international marketplace for the old equipment.

Known as an ITAD, short for IT Asset Disposition, Greenbox was founded in 2000 after Mulholland saw there weren’t any companies in Australia taking care of end-of-life equipment in an appropriate manner. Along with removing and disposing of old IT assets, it also installs new equipment at the same time.

Greenbox says it leaves no trace of a client’s data on their equipment, employing first-rate destructive tools that wipe everything to “military-grade security standards”.

In fact, one of its clients is the Department of Defence.

The company has just completed a 15-month project for Defence, sanitising and recycling 110,000 mobile and desktop computers, and processing another 90,000 devices – including monitors, printers and servers. “Each item is being wiped to standards that meet the DoD’s stringent cyber-security requirements,” the company says.

Mulholland says a lot of ITADs don’t actually do what they promise to do once the piece of IT equipment has left their client’s premises, so it’s important that ITADs are certified.

Greenbox provides individual data security certificates per device to show that the equipment has been sanitised.

It also has multiple International Standards Organisations credentials, for quality management, security, safety and the environment.

The company also has R2 certification, short for Responsible Recycling. This is a global standard specific to the electronic reuse and recycling industry. It ensures that all electronic products are repurposed responsibly, and promotes resource preservation, environmental wellbeing, and the health and safety of workers and communities.

This is important because there is a significant amount of equipment that doesn’t have any resale value and so has to be disposed of.

E-Waste is one of the largest growing waste streams in the world,” Mulholland says.

“There are huge environmental problems over the world caused by electronic waste dumping and it’s a very grey world in terms of trading and smuggling of the waste and then ending up partly in places where it shouldn’t end up.”

Along with mitigating the risk of data breach and environmental damage, a good ITAD program can also bring financial benefits, because organisations can receive a rebate for the residual financial value of the equipment they are disposing of.

But importantly, there needs to be a balance between the financial upside of the sale of the goods and the quality of the risk management-related services being offered.

“When you’ve got a junior management layer making those decisions, quite often they’ll default to making the financial choice,” Mulholland says.

“So it’s really important that companies have the right policy settings in place around this to clearly define what their objective is and what they expect in their organisation to get the right balance between that financial upside and the risk management.”

Responsible recycling … Shane Mulholland from Greenbox. Supplied.