Everyone within an organization should take cybersecurity seriously, regardless of the position they hold in the company. Why? Experts believe that data breaches will grow into an even bigger problem in the near future. The cost of handling these breaches is also growing—in fact, it was estimated that the average cost of a data breach is approximately $194 per compromised record.
Data breaches can occur at any time. But, many of these breaches occur during the disposal of unwanted or obsolete IT assets, which is why it’s so important for businesses to have an IT asset disposition (ITAD) plan in place. Unfortunately, a lot of CEOs are not involved with the process of creating and implementing an ITAD plan. When everyone in the organization is not involved, especially those at the top, the ITAD plan will be much less effective. CEOs that are actively involved with preventing data breaches during the disposal of IT assets should be able to answer these five questions:
How does the company keep track of IT assets?
Every business should keep track of every IT asset from the moment they are acquired to the time they are disposed of. However, many businesses fail to do so. Without an inventory, it’s impossible to know whether or not all of the IT assets are being adequately protected.
For example, a business without an updated IT asset inventory will not know which assets have already been sent to an e-waste recycler for disposal. If you don’t have this information, there’s no way to ensure that the data on these assets is being properly destroyed. CEOs who are committed to protecting their company’s sensitive data should be familiar with the inventory management system used to track IT assets.
How often is the current ITAD plan reviewed and adjusted?
No ITAD plan is perfect. Even if a company’s ITAD makes sense now, it may no need to be adjusted in the future if the business’s needs change. For this reason, it’s recommended that companies make an effort to review and adjust their ITAD plans on a regular basis.
If a CEO doesn’t know how often an ITAD plan is being reviewed and adjusted, this means it’s probably not happening. This means no one is reviewing the plan to identify potential problems or areas that need to be improved upon. For example, if an e-waste recycler contracted to dispose of IT assets for a company has recently lost its certification, it’s best for the company to find another e-waste recycler. But, if no one is reviewing the plan to look for ways to improve, this issue will go unnoticed. The data being handled by the e-waste recycler could be breached as a result of the company’s failure to review their policies periodically.
How is the data destroyed on devices that are no longer needed?
There are many different ways to get rid of data on old IT devices, but only a few acceptable ways to actually destroy the data. If the IT department or a third party vendor are simply erasing the data off of the devices, this means the data could possibly be recreated or read by an unauthorized user.
Reliable third party vendors use other methods to destroy the data on old devices so it can no longer be accessed. Vendors should follow the data destruction standards established by the Department of Defense or the National Institute of Standards and Technology (NIST) to ensure the data is completely destroyed. CEOs should make an effort to meet with their vendor to learn more about the data destruction process so they know how their company’s sensitive data is being protected at all times.
What laws does the business need to comply with when destroying data?
Some businesses must create ITAD plans that comply with certain regulations. If they fail to do so, the company could face steep fines, which is why the CEO should know which laws apply to their business.
For example, businesses in the financial industry must comply with the Gramm-Leach-Bliley (GLB) Act. The GLB Act requires financial businesses to get their board of directors involved with the process of securing sensitive data. Businesses in this industry must also commit to testing their data security plans regularly to identify weaknesses.
The Health Insurance and Portability and Accountability Act (HIPAA) requires healthcare companies to follow specific rules when creating an ITAD plan. These companies handle incredibly sensitive information—their customers’ health data—so their ITAD plan must meet certain data destruction requirements.
If CEOs aren’t familiar with the laws that apply to their business, they may be surprised when a federal agency fines them thousands of dollars for failing to comply with a regulation.
Who is responsible for overseeing the ITAD process?
Finally, CEOs should know the key players responsible for overseeing the ITAD process. Why? If a data breach does occur during the disposal of IT assets, the CEO needs to know who to contact first. This way, CEOs do not need to waste time trying to figure out who to get in touch with about the breach. Businesses need to take control of the situation and release information to the public as soon as possible after a data breach, so every minute counts. There are probably multiple employees involved in the ITAD process, but CEOs should know who oversees the entire operation.
Choosing a reliable third party e-waste recycler is the first step to putting an ITAD plan in place. When you work with ERI, you can rest easy knowing that the data on all of your devices will be completely destroyed. For more information on recycling your electronics, or to request a quote for your company, contact us today.