Organizations constantly replace outdated computers and countless electronic devices to keep up with technology and enhance worker productivity. This rush to upgrade, however, creates a challenge: large numbers of excess electronics must be managed and disposed of properly.
IT asset disposition (ITAD) requires numerous complex activities: transportation, equipment testing, data destruction, remarketing, de-manufacturing, recycling, and reporting. Activities not outsourced to trusted vendors are too often performed by employees who are given little-or-no guidance from senior management.
When an organization fails to maintain proper oversight, mistakes happen. Outsourcing can increase risks and leave organizations with a false sense of security.
Here are the five common mistakes organizations most often make:
- No agreed-upon definition of success
- Not following a plan
- Trusting too much
- Not using disposal tags
- Not having contingency plans
Organizations are unwittingly committing critical mistakes that undermine their well-intentioned ITAD efforts today. Here is how to avoid common mistakes others make.
Defining Success
Find anyone involved with corporate ITAD and ask them to define success. Chances are you will hear a response such as; ‘it depends’ or ‘we make sure there are no issues.’ or ‘what do you mean?’
As with most endeavors, problems arise when there is no clear definition of success or when team members have different definitions of success.
Organizations that formally define success still have problems when individuals are allowed to redefine success based on actual outcomes — retrofitting how success is defined to match the circumstances.
Success should not be subjective. Rather, it should be defined upfront using SMART criteria (i.e., specific, measurable, assignable, realistic, and time-related).
Naturally, definitions of success for ITAD may differ slightly for your organization because every organization has unique priorities. While each organization is unique, two goals are universal for every ITAD program: chain-of-custody and data destruction.
It is beyond the scope of this paper to outline the exact best definition of ITAD success. It should be noted that it is problematic when individuals or business units interpret vague policies or determine the best course of action without adequate oversight.
Organizations are advised to gain alignment regarding how to account for every retired asset and how to prove no data is accessible in order to ensure there is a clear, agreed-upon definition of success.
Following a Plan
Once the definition of success is clear, an organization must follow a consistent process to achieve success. Having an inconsistent process is the same as not having a process.
Inconsistent processes ultimately lead to inefficiencies and errors. Success demands process discipline. Individuals and business units should not be allowed to wing it. By plan, we are not referring to vendor selection. Of course, vendors may vary by business or region. However, the fundamental processes by which ITAD is managed must be consistent.
When someone is permitted to deviate from the plan, nonconformities can become excuses for not achieving success. It is challenging to determine whether a problem resulted from someone not following the plan or from the (bad) plan itself.
An exact best plan depends on how an organization defines success. Often, we receive questions concerning encryption and onsite data destruction regarding ITAD strategies. Outlining an exact best plan is beyond the scope of this paper. That being said, all effective plans ensure legal compliance.
Data security laws mandate that organizations implement “adequate safeguards”—three types of safeguards: technical, physical, and administrative. Regulations also require organizations to minimize conflicts involving segregation of duties. In other words, organizations must implement reasonable measures and actively eliminate opportunities for theft and fraud.
Never Trust. Always Verify.
Organizations too often trust employees to work directly with ITAD vendors. Unfortunately, trusting without adequate safeguards does not meet the basic, but critical, requirement of segregation-of-duties. Moreover, trust exposes organizations to employee theft and vendor fraud.
Sadly, a huge incentive motivates ITAD vendors and employees to hide losses. Naturally, employees and vendors tend to report self-serving interpretations, especially when facts could make them look bad.
Without proper controls and independent verification, management receives heavily distorted information. Only a careful, objective examination of tracking data can confirm chain-of-custody or reveal potential liability. Executives need to be non-credulous about ITAD reporting.
There are two basic types of safeguards: preventative and detective. Detective controls are intended to find problems within an organization’s processes. Even when an organization implements adequate safeguards, it is important to test them regularly, especially detective controls.
The US Navy tests detective controls when it practices man-overboard (MOB) drills. When a ship’s MOB alarm rings, every sailor must report to a designated muster station. There is no acceptable reason not to assemble, and failing to report in a timely fashion results in harsh discipline.
Group leaders are tempted to ‘cover’ on large ships for a colleague running a little behind. As the sailors rush to muster stations, officers occasionally apprehend an individual sailor, preventing them from mustering on time. These apprehended sailors are deemed MOBs. The entire chain of command may be reprimanded when a MOB is falsely reported at a muster station.
Detailing every safeguard required to satisfy compliance requirements is beyond the scope of this paper. Running ‘man-overboard’ drills on retired computers during ITAD projects is a wise precaution. Applying proven incident-response procedures will also help raise awareness of vulnerabilities.
The US Navy takes safeguards and reporting very seriously because conflicts of interest exist. Acknowledging conflicts of interest with ITAD is the first step towards creating effective policies and adequate safeguards.
Tag it. Track it.
An unbroken chain of custody is necessary to indemnify an organization from the downstream risks associated with ITAD. Typically, this chain of custody is established by manually matching manufacturer serial numbers captured on vendor inventory. Sounds easy, right? Think again.
In a multi-year study of tracking data, only 47% of serial numbers captured could be matched successfully. In other words, relying solely on serial numbers to achieve chain-of-custody gives you a 50/50 chance of success.
Disposal tags are a far better way to track assets than serial numbers. Instead of a 50/50 chance, disposal tags increase the odds of tracking to 99%. There is a reason airlines tag luggage and furniture movers tag boxes; it works.
Using tags with ITAD has an added benefit: disposal tags deter theft. Employee theft is the number one risk associated with ITAD. Employees are less likely to steal an asset they know will be missed.
Chain-of-custody is not a catchphrase in a court of law; chain-of-custody evidence is the foundation for indemnification and transfer of liability. Relying solely on serial numbers is silly. Adding a tag improves trackability – two identifiers are better than one.
Tags are simple, easy, and highly effective. You can instantly add tags to an existing process. Tags work with any vendor, any size project, anywhere. They are a perfect way to prevent problems, save time, and save money.
Plan for the Worst
Mike Tyson famously quipped, “Everyone has a plan until they get punched in the mouth.”
Best-laid plans of ITAD often go awry. When they do, don’t get knocked out. Make sure any issue is an incident and not a breach.
Take time to define indemnification. Modify your game plan if you aren’t comfortable with the risks.
If equipment never arrives at an IT disposal vendor’s facility, it will not be properly processed and sanitized. Unfortunately, laptops have legs. The smaller and more valuable an item is, the more likely it is to disappear during transportation.
Take the time to spell out the worst-case scenarios and determine how you are covered. Discuss what-if scenarios with your ITAD vendor. Learn how an ITAD vendor will actually protect your organization, or not, should something go wrong. Ask for specific examples of actual problems they have encountered and to explain how the issue was resolved.
Do your due diligence. Ensure your ITAD vendor understands all the state and local requirements and is adequately insured. There are over 1,000 certified electronics recyclers in the US, but not all are equally qualified. It is better to discuss potential problems upfront than to assume anything.
Better ITAD vendors will understand and appreciate your security concerns. Better ITAD vendors will encourage your audit efforts. Better ITAD vendors appreciate the opportunity to take corrective actions to prevent problems before they become downstream disasters.
Final Thoughts
Nobody cares about ITAD until everybody cares. Too often everyone cares when it is too late — when an asset is found in the wrong place or is found still containing data.
Reviewing the five mistakes is a perfect way to ensure everybody is on the same page before a crisis happens.
If you have any questions or comments, please let me know.
To your ITAD success,
Kyle
