Box Cutters Don’t Bring Down Buildings

ITAD is a disregarded cybesecurity threat

A Lesson for IT Asset Disposition from the Tragedy of 9/11

On April 7, 1994, an employee passenger attempted to hijack Federal Express Flight 705 using several hammers and a speargun. The crew fought back, subdued the passenger, and miraculously landed the aircraft safely despite severe injuries.

The crew of Flight 705 was celebrated justifiably for their courage, strength, and ability to stop a hijacker who intended to kill them and fly the fuel-laden aircraft into the Federal Express Memphis headquarters building in a suicidal attack. I remember it vividly as I was living in Memphis at the time.

Seven years later, terrorist group al-Qaeda hijacked four commercial flights using knives and box cutters in a coordinated attack that resulted in nearly 3,000 fatalities, 25,000 injuries, a global economic recession, and a twenty-year war in Afghanistan. The tragedy of 9/11 is a scar that will never heal.

Disregarding a Threat

Many hijackings had occurred before 9/11. Standard procedures dictated that pilots cooperate with hijackers and let authorities deal with their demands. And despite Flight 705, authorities disregarded the risk that a hijacked aircraft would be used as a suicide weapon.

A bipartisan commission was chartered in 2002 to prepare a complete account of the circumstances. The 9/11 Commission concluded, “the most important failure [concerning the 9/11 attacks] was one of imagination.” It found that we failed to “connect the dots.”

Following the horrific disaster of 9/11, authorities enacted security changes. Notably, cockpit doors were made more robust and left locked throughout the flight to prevent terrorists from gaining access.

Two questions have haunted me for the past twenty years. Why did we fail to lock cockpits throughout flights following Flight 705? And, had the 9/11 flights miraculously landed safely, would we still have adopted the new safeguards?

A Raising Threat

Over the past few months, we’ve seen increased attacks of a different kind that create a new clear and present danger to society. Ransomware attacks against critical infrastructure  -  water treatment facilities, gas pipelines, food distributors, and hospitals  -  put lives at risk.

Hackers often gain access to networks by exploiting backdoors. Organizations are scrambling to shore up our cyber defenses.

But it’s not just gaps in firewalls that these hackers are looking for; it’s also an organization’s old computer equipment. A single unsecured asset can create a plethora of problems because these backdoors make it easy to install ransomware.

IT asset disposition (ITAD) is understood to be a data security vulnerability. Last year, Morgan Stanley was slapped with a $60 million fine from the United States Department of the Treasury after customer information was mismanaged during computer decommissioning projects.

According to data breach notifications sent to state Attorneys General, a “small number” of servers could not be located. What many miss about the Morgan Stanley breach is how ITAD mismanagement can also be a cyber-attack vector.

While this Morgan Stanley breach did not endanger lives, it reveals how every organization is at risk from ITAD mismanagement. Missing assets make us vulnerable to demonic ransomware attacks and not only data breaches.

Yet, ITAD problems are typically out of sight and mind for most executives. After all, it’s hard to justify investing the time when there hasn’t been a disaster. However, detailed tracking data reveals a troubling fact: four out of five corporate IT asset disposal projects have at least one missing asset.

Employees steal assets. Vendors lie. And IT asset managers are tempted to shrug their shoulders and sweep problems under the rug. People naturally avoid self-reporting facts that could make them look bad.

Reasons like these are why Zero-Trust has become the go-to framework for enterprise security - and why it should also be the cornerstone of your IT asset disposition strategy.

Traditional trust-based ITAD not only increases the risk of breaches and ransomware; it guarantees you won’t know about a problem until it’s too late.

The point of Zero-Trust is not to make networks more trusted; it’s to eliminate the concept of trust. Likewise, the point of Zero-Trust ITAD is not to make disposal vendors more trusted; it’s to eliminate the concept of trust from ITAD.

Morgan Stanley’s ITAD mismanagement shows us how even sophisticated organizations lose track of assets. Adopting a Zero-Trust approach towards ITAD helps organizations mitigate the risks.

If we fail to imagine what could happen, we risk forgetting the lesson of Flight 705. Today, ITAD is a disregarded cybersecurity threat. Let’s connect the dots this time and avoid repeating the same mistake again.


Retire-IT has been providing Zero-Trust computer recycling solutions for almost 18 years. Our proven process and vendor-neutral approach have helped over 1,000 organizations like yours prevent hackers from accessing their network, hold vendors and employees accountable, and keep their assets out of the headlines.

Schedule a call with us today and arm yourself with the tools & resources you need to make the switch to Zero-Trust.