In light of the recent Equifax data breach, many IT managers and compliance specialists are putting their data security standards and procedures under the microscope. They may be asking:
- Where does the data trail end?
- Am I liable for the equipment housing my data after I’ve retired it?
- How important is ITAD in data security?
Data breaches are costly. Preventing data leaks and practicing data destruction best practices are paramount. If IT professionals are not securely and responsibly disposing of assets, they’re ignoring the final stage of the IT asset lifecycle and potentially negatively impacting their bottom line.
An expensive mistake – from both a financial and reputation perspective
A good reputation is hard to establish and can be even harder to protect. If your company’s name is tarnished by a data breach, not only do you have to go into damage control to rebuild your reputation, there’s also a very real financial cost.
Since the dawn of the new millennium, over five billion users have been affected by data breaches. The average cost of a data breach is now almost $4 million, which represents an average of 25,575 records at an average cost of $150 per record. According to the HIPAA Journal, the healthcare industry feels the sting of a breach even more, at a cost of $429 per record.
Beyond security patches and shredding: IT asset disposition
When your gear reaches its end-of-life or end-of-service, it needs to be retired or decommissioned responsibly. Servers and hard drives can store bits of data that still contain sensitive user information subject to your industry’s or general compliance standards. So data security and compliance do not begin and end with real-time security, enduser training, patches, shredding, and backups, but the final disposal of assets.
IT asset disposition (ITAD) can be complex. The guidelines for data destruction include NIST 800-88, PCI DSS, and ISO 27001, three security standards that dictate how digital media (such as hard drives) is destroyed when no longer in use. IT managers are ultimately responsible for choosing how to dispose of their organization’s data, defining processes and implementing those processes.
Two major decisions for data destruction are:
- Classifying information based on value, legal requirements, sensitivity and organizational need
- Finding the best data destruction process based on the value of the information (and your IT assets!) to the company and its stakeholders
Finding peace of mind – and money – in ITAD
IT asset disposition (ITAD) should always be viewed through the lens of data security first. But importantly, it should be recognized as a way to enhance your IT budget. Just as ITAD is a critical prong in your data breach prevention strategy, IT asset value recovery should be an important consideration in your budget management process.
Here are 4 things to look for in an ITAD partner
- Certification – Find a vendor who is certified to destroy data, preferably through the National Association of Information Destruction (NAID)
- Competitive bidding – Seek out organizations that have deep connections within the IT industry so that they can offer accurate valuations on your equipment
- Compliance – Ensure that your vendor understands your industry’s compliance requirements and can provide you the necessary documentation upon job completion
- Responsible disposal – Any and all waste or scrap should be properly disposed of, not exported or placed in a landfill
Ultimately, a solid understanding of ITAD will help IT asset managers:
- Ensure data security
- Protect brand reputation
- Be better environmental citizens
- Improve return on investment
- Positively impact bottom line