GUEST OPINION: The sudden surge in home and remote working precipitated by the COVID-19 pandemic revealed the inadequacy of many employees’ portable and home IT equipment for meeting the demands of corporate computing. Much of it was old and running outdated software applications that presented security risks.
As a result many organisations, and many individuals, invested in new hardware and up-to-date remote access technologies with strong security. IDC reported a 13% increase in PC shipments across the world in 2020. Some organizations also upgraded hardware and software in their data centers because they were not set up to cope with large numbers of remote workers accessing online resources.
When organizations buy large numbers of new PCs, and other devices, they must dispose of large numbers of old units. If disposal is not properly managed these can cause significant environmental problems, but organizations face another disposal challenge that can cause them significant damage: they must ensure no obsolete machines sent to a third party for disposal contain sensitive data that can be harvested before its host machine is recycled or turned into landfill.
If organizations fail to manage disposal properly, intellectual property, employee information, customer information, passwords and more could end up being used to mount a cyber attack or find its way into the hands of a competitor.
It is unreasonable to expect the employee to whom a device as assigned to have the expertise needed to ensure all data is erased. Furthermore many industries have regulatory requirements governing the disposal of computers containing personal or corporate data, and these rules must be followed to the letter.
There are specialist organizations providing secure IT asset disposal services. Managed service providers (MSPs) may also offer secure disposal, and sometimes the equipment providers will offer secure disposal as part of their warranty or exchange programs.
Regardless of who an organization chooses to take responsibility for secure hardware disposal, it is important for their MSP to be involved, because ensuring the security of customer data is general a key part of the MSP’s role.
However, depending on the number of devices and the rates at which they are refreshed, the MSP may not have the capacity to directly undertake data erasure for all end-of-life devices, but they can maintain oversight of these operations by helping their client select a specialist provider of secure disposal services and overseeing the provider’s performance. It is important MSPs do this, because they bear some responsibility for any consequences of incomplete data destruction.
Also, by providing fulfilment or oversight of secure disposal in addition to their normal services, the MSP will have a cradle-to-gave responsibility for systems and applications, strengthening their relationship with the client.
However, despite these arguments, some MSPs remain ambivalent about providing secure disposal of IT assets. So here’s a summary of the reasons they should do so.
• Ensuring security of client data is a core service for MSPs. Not taking responsibility for what can be, potentially, a risk to that client represents a significant omission. And if the source of the leak cannot be attributed to an old device the MSP might be held responsible.
• The MSP should ideally take responsibility for determining when hardware reaches end-of-life. This will generally depend on application demands. Proper management will ensure equipment is refreshed before its performance is compromised by application advancements and will result in a more predictable and manageable update process. In many organizations the lack of clear asset lifecycle management, and the complications of the process, result in hardware assets remaining in service well beyond their optimal use-by date, and adversely affecting business operations.
• Customers, from corporations to consumers, are increasingly concerned about the environment, and well aware of the environmental impacts of e-waste. By ensuring proper disposal of obsolete hardware MSPs can enhance both their own environmental credentials and those of their clients.
• Much IT equipment deemed obsolete by enterprises is still fit for other purposes and is especially sought after because of of-induced component shortages that have restricted availability of new products. MSPs can earn revenue by playing the role of intermediary between their clients and this aftermarket.
• There are many cash-strapped individuals and organizations for whom an obsolete corporate computer would be more than fit-for purpose: schools, low-income families, people in developing countries. Any MSP facilitating the provision of devices to these needy users would gain kudos for their community service, and possibly enjoy a tax break.
In summary, an MSP providing IT asset disposal services is a win-win outcome. The MSP ‘closes the loop’ on their responsibility for securing client data. At the same time, an avenue for client data leaks is eliminated. The MSP creates a potential new revenue stream. While others may benefit from useable equipment at low or zero cost, the MSP and their client’s environmental credentials are boosted.