Strategies for organizations to balance data and hardware security needs

Best practice

Strategies for organizations to balance data and hardware security needs

By Chris Greene, Vice President of Strategy and Solutions for Iron Mountain‘s Asset Lifecycle Management (ALM) business

Three years have passed since the start of the pandemic and many people’s working lives have not been the same since. Although many organizations re-opened their offices, allowing staff to work in-situ either full-time or on a hybrid basis, many workers never returned to physical offices. Some found that working remotely worked perfectly for them and their employer, provided they had the right technology to support their needs and support their productivity. 

The working world altered unrecognizably overnight, but the responsibilities organizations have to ensure that their sensitive records, confidential information and data is protected have not changed. The boom in remote work has only increased, not lessened the associated risks organizations, and specifically IT departments, face. Despite this, many organizations continue to manage their IT assets, such as laptops and peripheral devices, in several non-secure ways, or indeed, lose track of them all together. This improper IT asset management can have dire consequences – if sensitive information gets into the wrong hands, it can lead to financial loss, IP theft, and irretrievable damage to an organization’s reputation.

The challenge of keeping track of physical assets

Several years on since the scramble to deploy IT equipment to employees to facilitate remote working, even the most sophisticated organizations have struggled to accurately track and recover these remote devices quickly, safely and efficiently at scale. Some assets may be approaching their end-of-life period, but there is also a strong business imperative for securely recovering workplace technology items from remote work locations. For example, to facilitate technology refreshes and maintenance, servicing, repair, redeployment, lease return and employee offboarding use cases. 

A recent study by Foundry and Iron Mountain found that remote work poses multiple challenges for organizations when it comes to tracking their IT devices. 45% of IT leaders reported concerns about managing and tracking IT assets throughout their life cycles and 41% stated remote worker’s devices were increasingly falling outside of their control. This is often caused by IT departments lacking accurate and up to date inventory information, which makes understanding the ownership and tracking the location of IT devices (e.g., laptops) extremely challenging. This is often exacerbated by increases in the volume of returned devices due to high staff turnover and a lack of processes and protocols supporting the secure and prompt retrieval of IT equipment.

These concerns also went a step further, with more than 40% of IT leaders reporting that no formal IT Asset Disposition (ITAD) strategy exists within their organization to manage the secure decommissioning of these assets when they come to the end of their lifecycle. In fact, many organizations do not consider the secure disposition of assets a business priority, unaware of its level of significance compared to other data security risks. Insecure disposal methods are shockingly common, with 56% of respondents admitting to frequently or occasionally disposing of assets in the trash, 79% to storing obsolete assets on-premises and 58% to storing obsolete technology off-premises. Only 24% of those surveyed confirmed they physically destroy assets on a frequent basis, yet there is no telling whether this is achieved to the industry best practice standards. 

Without a workplace IT Asset Management (ITAM) strategy in place, many of these “covid-era” assets are at risk of dropping out of the system, they are unknown, not visible, presenting both significant security and data privacy risks as well as cost implications, if not brought swiftly back under corporate control and active management.

In the digital world, do not overlook the risks hidden in hardware 

Hardware asset management is an important piece of data security risk management – and it is often overlooked by organizations focused too heavily on prioritizing their cybersecurity defences and managing the risk of digital data breaches. But poor management of hardware assets can also expose sensitive corporate data and lead to costly penalties. According to IBM, the cost of experiencing a data breach increased by 13% between 2020 and 2022, with the average now reaching $4.35 million globally ($9.9 million in the US). Recently, a financial services institution was fined $35m for its improper disposal of hard drives. 

Shipping hardware, such as laptops and peripheral devices,  with recoverable data insecurely exposes organizations to an increased risk of data breaches, while an ineffective data sanitization process makes in-transit data breaches more likely. Therefore, not only must IT asset managers ensure they have visibility and can manage their remote devices, but that data is protected during the life cycle of the asset.  This includes having a trackable chain of custody when deploying hardware all the way through the end of life and disposition process which ensures data destruction on data bearing devices. Bad actors can salvage old hard drives from landfill or purchase recycled IT equipment with the intention of recovering data on assets that have not been appropriately wiped. Wiping can only be achieved reliably with the use of NIST 800-88 compliant and ADISA certified data wiping software, such as Teraware, which leaves nothing to chance. Any reputable contractor disposing of assets on behalf of an organization should supply auditing reports that verify complete data erasure and proof of the responsible physical destruction. 

Keeping an eye on the e-waste threat

While many IT assets can of course last much longer, some equipment deployed to employees at the start of lockdown, especially that which is insecure or underperforming, will have a lifespan of three to five years and will soon need to be replaced. Not only is this expensive for organizations to maintain, but the impact on the wider environment from an ongoing churn of hardware typically composed of plastics and metals being sent to landfill cannot be overstated. E-waste is the world’s fastest growing waste stream, with the UN e-waste coalition and PACE estimating the annual value of global e-waste at over $62.5 billion. 

As the pressure builds for organizations to set and meet ambitious sustainability targets, ITAD can help to reduce the environmental and financial impacts of workplace digital transformation by ensuring that rather than being thrown away, each asset is redeployed, recycled, or remarketed to recover a proportion of its original value. If recycling is not possible, the asset must be physically destroyed beyond recovery.

Workplace ITAM key to an organization’s data security

Workplace ITAM is core to any data security framework in the digital age and it is an element that no business can afford to be careless with considering the damaging impact of financial and reputational penalties should a breach occur. Of course, faced with a remote workforce, recruitment challenges and an ever-increasing number of IT assets to oversee, it is no wonder IT teams are overwhelmed and struggling under the pressure. 

Enabling the continuation of remote work as the modern workplace transforms post-pandemic has improved people’s lives immeasurably in many cases. But in others, it has fast-tracked existing resourcing challenges that, if left unresolved, could spell disaster for an organization in the event of a data breach. With many IT leaders fully aware of the risks they are running by failing to implement a workplace IT asset management strategy, looking for ways to leverage the security expertise of specialist hardware ITAM providers is the right step on the road to taking back control of their assets. 

Can’t find what you’re looking for?