Happy new year! For many, that means knuckling down to finalize new budgets for the upcoming year. Every department has their own budget to cover new hires, technology upgrades, replacements and other expenses. Same old, same old.
Where is the line item for data destruction?
For many companies, it’s assumed to be under the IT department’s purview. They’re rolling out the newest technology for employees and company data storage, improved firewalls and cybersecurity for front end data protection. It’s their job, right?
As the new rolls in, what is happening to the old stuff? End-of-life or end-of-contract computers, servers, copiers (see the complete list here) get packed into boxes for return, storage or the dumpster without a thought to the cybersecurity risk that is still inside.
Fact: You’re diligent about protecting the front line but the rear is under secret attack.
As you budget, ask yourself hard questions
- Are we moving a data center or migrating to the cloud? What’s the data migration for equipment and the destruction plan for the data on those servers?
- It’s time for a laptop refresh. Hurrah, new computers for the sales team and marketing. And HR. Don’t forget accounting. What’s the data destruction plan for those computers being returned to your VAR or ITAD? Do the hard drives need to be returned with the device (erasure) or can you destroy the data to protect your company and clients (shred or degaussing)? Whose budget – the individual department or somewhere else.
- You’re an enterprise company. You have a 5-year accumulation of hard drives at 5 different sites across the US. Where’s the money to destroy the data and the problem coming from for that?
- COVID (and other factors) are closing or consolidating offices. Is the money for data destruction, storage and replacement coming from your real estate budget, IT or “somewhere else” (as in we’ll figure it out later).
- Work from home employees have computers loaded with who knows what. How are you taking care of a remote erasure before their computer gets shipped back to you. Or the ITAD/VAR? (Hint: there are programs for that too.)
While organizations willingly spend to protect their active data from getting into the wrong hands, they often forget (or ignore) the disposal of inactive or old data. Removing all traces of old data is important for saving your clients (and your company) from exploitation opportunities while building a defense around your company – including your dumpsters and vendors.
Wondering if this a real threat (or hype)?
Read this great article from Malwarebytes, a leading cybersecurity software company that states:
Matt Malone is a dumpster diver who confirms that many hacks and identity thefts occur when people go through someone’s trash. Malone often targets the dumpsters of retailers and said that off-hours activity made more money for him than his day job.
Also, a tech company called Stellar performed a residual data study in 2019 that analyzed the information left on 311 devices. It found that more than 71 percent of them contained personally identifiable information (PII). Additionally, 222 of the devices went to the secondary market without their original owners conducting the appropriate information-erasing procedures first.
An earlier study from the National Association for Information Destruction revealed that 40 percent of devices received secondhand had PII on them. Researchers looked at more than 250 items for the study.
Furthermore, research published in 2015 highlighted the need to work with reputable data destruction companies that stand behind their results. The study examined 122 used devices bought from e-commerce sites. In addition to 48 percent of the hard drives containing residual data, 35 percent of the mobile phones had information such as call and text logs, images, and videos.
Even worse, previous deletion attempts occurred on most of the devices— 75 percent of the hard drives and 57 percent of the mobile phones. A closer look told the researchers that people tried to delete the information with widely available but unreliable data destruction methods. A lesson learned here is that it’s crucial to weigh the pros and cons of each option before tasking a reliable company with discarding the information.
The cost of not budgeting at all
Whose budget covers the cost of an audit, brand backpedal and customer loss in the case of a data breach?
Everyone’s. The cost to find and fix internally, notify, reassure and retain customers is astronomical. (Just ask these guys.)
Bottom line, data destruction and ITAD services should not be overlooked (or avoided) but usually are.
- It’s part of your overall cybersecurity plan.
- It should be part of your refresh plan
- It can be included as a line item by your VAR or ITAD.
- It should be consistent for every office location.
- It can be customized to your company to meet regulatory and industry standards.
Get some data destruction budgetary help
Talk to your VAR, ITAD and office equipment vendors now about how to include data destruction into your annual spreadsheets or their contracts.
Talk to accounting to see what budget the cost of these services fall under.
Talk to your legal department to understand the requirements for your industry and geographic location.
Talk to Guardian. Using a NAID AAA certified data destruction company for a range of services from a USB drive to a copier to a server cage is the one way you can prevent costly security breaches and ensure that it isn’t a problem created by a budget gap rather than thinking ahead.