Cybersecurity Incidents Involving Toxic IT Assets are Material in Aggregate
The Securities and Exchange Commission (SEC) has introduced new cybersecurity regulations requiring disclosure when a series of previously undisclosed, individually insignificant cybersecurity incidents collectively become material. Toxic IT assets pose substantial threats collectively. Effective IT asset management (ITAM) and IT asset disposition (ITAD) safeguards are essential to preventing toxic IT disclosures.
What is a Toxic IT Asset?
IT assets turn toxic when they go missing without proof that they don’t contain Personally Identifiable Information (PII). However, missing assets aren’t deemed toxic if there’s evidence of encryption or the absence of PII. Missing assets also turn toxic when they can still access company networks. If left unchecked, toxic IT assets might become a backdoor for ransomware and malware installation.
Toxic IT assets must be treated as a potential security incident – investigated and resolved – to prevent them from becoming a disclosable data breach.
Aggregated Impact of Toxic IT
While a single toxic IT asset might not appear substantial, a group of such assets becomes undoubtedly significant. For instance, Coca-Cola disclosed a data security breach revealing that an employee responsible for asset disposal stole 55 laptops over six years.
Though each laptop theft may seem inconsequential, the cumulative impact of an insider obtaining numerous laptops is material. Disclosure is mandatory under the new SEC cybersecurity regulations when incidents collectively become material.
If left unchecked, toxic IT assets can become dangerous. We have all read how so-called “forever chemicals” found in drinking water can have major long-term health repercussions. Similarly, toxic IT can progressively build up to material levels in an organization without sufficient safeguards.
Although there is no statute of limitations regarding privacy regulations, toxic IT assets, unlike forever chemicals, do not need to be a permanent problem. Implementing proper controls can minimize and mitigate the risk of toxic IT.
Beyond ITAD: Identifying Toxicity Across ITAM
Coca-Cola experienced a data breach during the ITAD process. Since organizations frequently replace outdated electronic devices containing sensitive data, robust ITAD measures are crucial.
ITAD isn’t the only phase when an IT asset can turn toxic. The asset lifecycle encompasses several key stages: acquisition, deployment, relocation, repairs, and eventual decommissioning.
Throughout each stage, implementing sufficient controls becomes imperative to minimize and mitigate the associated risks of IT assets going astray.
Maintaining accurate inventory throughout the lifecycle is complex due to the dynamic nature of IT environments. Although 95% accuracy is considered acceptable, the notion that ITAM can flawlessly manage all assets persists.
Since a single asset found in the wrong place or discovered to contain data can have costly consequences, organizations should equip ITAM with tools and resources to achieve 100% inventory accuracy for assets on and off the network.
Accountability Through Check-Out/Check-In
ITAM is the set of business practices that support lifecycle management and decision-making in the IT environment. In other words, ITAM is about keeping track of and managing all the IT assets in the organization.
In ITAM programs, the check-out/check-in procedure is fundamental, involving formal processes to assure accountability during asset transfers. At check-out, responsibility is transferred to someone. At check-in, responsibility is transferred back.
The “Final Check-Out” is the ITAD process which significantly differs from standard check-outs. Here, assets aren’t returned, and ITAD vendors don’t function like regular employees, necessitating distinct accountability procedures.
Conflicts of Interest Increase Toxicity
Many organizations overlook ITAM’s importance, lacking proper resources and executive backing. IT asset managers seldom receive recognition for their efforts and may face blame when assets are lost.
Often, missing assets are categorized as “retired” to save time. Not labeling missing assets as retired is crucial, as those delays investigations or hide toxic IT assets.
Asset managers might hide toxic IT assets for several reasons:
- Avoiding Blame: Asset managers could fear being held responsible for problems such as missing assets or potential security breaches, leading them to hide issues to protect their reputation.
- Fear of Consequences: The potential personal and organizational repercussions of disclosing problems might lead to hiding issues.
- Lack of Resources: Inadequate resources or support can lead asset managers to conceal problems to avoid admitting shortcomings in their management.
- Pressure to Maintain Efficiency: Asset managers may prioritize maintaining efficient operations over revealing problems that could disrupt the workflow.
- Unrealistic Expectations: If there’s an expectation that asset managers can flawlessly manage all assets, they might hide issues rather than admit to falling short of those expectations.
- Complexity: Asset management can involve complex processes and challenges. Asset managers might hide problems to avoid explaining these complexities to higher-ups.
- Lack of Accountability: If there’s no clear accountability structure, asset managers might hide problems, assuming the issues won’t be traced back to them.
- Perceived Lack of Importance: Asset managers might feel that certain problems are insignificant in the grand scheme of things and choose to ignore them rather than address them.
It’s important for organizations to foster an environment where transparency is valued, and asset managers feel comfortable reporting problems without fear of negative repercussions. ITAM’s responsibility is to present honest facts to executives, whether good or bad, avoiding misinformation that could be professionally and legally damaging.
Segregation of Duties Required
A cornerstone of major data security laws is to minimize conflicts of interest. The concept of segregation of duties (SOD) is crucial for preventing conflicts of interest and fraud. SOD divides responsibilities between different entities to ensure checks and balances. The absence of SODs can lead to audit failures and compliance issues.
The goal of SOD is to create a system where no single person can initiate and complete a process without oversight from another party. For example, in ITAD, segregation of duties might involve separating roles such as:
- Initiation: The person who requests a disposition.
- Authorization: The person who approves the request.
- Decommission: The person who prepares assets for disposition, including data destruction.
- Disposition: The vendor who performs ITAD.
- Recording: The person who enters the transaction into the system to demonstrate the chain of custody.
- Reconciliation: The person who verifies that the transaction was recorded accurately and matches supporting documentation to validate the chain of custody.
By having different individuals responsible for each of these steps, the organization creates a system of checks and balances, reducing the risk that a single person could manipulate the process without detection.
Here are steps that can be taken to keep IT assets from turning toxic:
- Maintain Separation of Duties: If your policy is flawed, no process will help.
- Track IT Assets from the Moment They’re Acquired: ITAM is expected to account for every asset acquired.
- Treat Inventory Discrepancies with Due Regard: Procedures must be in place before assets go missing to minimize and mitigate the risk of toxic IT.
- Recognize That Encryption is Not a Silver Bullet: While encryption can prevent an incident from becoming a breach, it cannot prevent an incident from occurring and does not eliminate the requirement to detect and investigate incidents. Coke had a policy of encryption.
- Use Disposal Tags: Serial number tracking is fallible. Disposal tags deter theft and are an effective way to track assets and prove chain of custody.
- Destroy Data Before Devices are Moved: 99% of problems happen before an ITAD vendor touches the equipment. No vendor can protect an asset it doesn’t receive.
- Have Equipment Held: Require your ITAD vendor to quarantine equipment until all assets have been accounted for. Never allow an ITAD vendor to resell or destroy equipment until the chain of custody is established.
- Not Sharing Inventory Reports with Vendors: SOD is critical to privacy regulations. ITAD vendors have a conflict of interest and should not be reconciling inventories. Rather, they should report what is received, and the data controller should reconcile. That way, discrepancies can’t be swept under the rug.
- Automate and Outsource Inventory Reconciliation: Spreadsheet reconciliation is time-consuming and tedious. Moreover, the results of manual reconciliation can be subjective and impossible for someone else to verify without redoing the entire thing. Automating and outsourcing reconciliation ensures a consistent, objective approach and allows IT asset managers to spend valuable time solving problems.
- Test Security Controls: Compliance requires an organization to implement and test safeguards. Detecting a missing asset requires a robust reconciliation process. An effective test of this control is to include a fictitious asset in every disposal inventory. This imaginary asset should be flagged as missing. If the ITAD vendor reports receiving the pretend asset, there is a problem.
Other things can help mitigate the toxic IT asset risks but should only be used to support the good disposition practices cited above.
Evaluate Your Toxic IT Asset Risk
Risk managers are encouraged to rethink ITAM-ITAD management practices and ensure they can answer the following questions:
- How would we know if a loss occurred?
- What incentives exist to report a loss?
- Can an employee or vendor hide a loss?
- When were employees and vendors last trained in ITAM-ITAD procedures?
- How would our ITAM-ITAD program be viewed under direct examination?
Retired IT assets are gone but not forgotten. Easily discoverable information about toxic IT assets can create enormous exposure for unprepared organizations.
How We Can Help
Ready to build a bullet-proof ITAD strategy? Call me at (888) 839-6555 or email firstname.lastname@example.org. I would be pleased to share a strategy and outline the options if you need an effective approach to eliminate toxic IT assets and achieve defensible disposition.