Why recycling public sector IT is in dire need of improvement

This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.

As the Information Commissioner’s Office (ICO) continues to crack down on data security breaches, such as the NHS Surrey scandal which saw the now defunct Trust fined £200,000, organisations across the public sector are starting to realise the implications of informal or non-existent IT asset disposal policies. As a result, these organisations are making steps to understand and establish responsible recycling processes with secure, certified service providers who will ensure they stay out of the ICO’s line of fire and as such Stone Group, the UK-based ICT solutions provider to the public sector, has seen a marked increase in the number of process enquiries being received into its recycling and refurbishment facility.

There were 335 data breach incidents in Q2 2013 alone according to the ICO; 29 of which were lost or stolen hardware with the top three biggest offenders being health, local government and education. But with increased scrutiny and an ever interested media, is that enough to help drive through better policy making in public bodies?

Technology, and the security it demands, has changed considerably in the last five years, not least because of developments in mobile devices and tablets, but also trends like BYOD. Unsurprisingly, data that only used to be resident on hard drives now sits everywhere and end users have had to change attitudes to data protection, to reflect their responsibilities for both their business and personal data.

There are a number of continuing issues around information security and the value of an assured disposal service provider, much of which can be attributed to a worrying number of gaps in the market, awareness around responsible IT asset disposal and recycling processes for redundant, end of life IT hardware.

Improving awareness

ADISA (Asset Disposal & Information Security Alliance) has developed a security standard for IT asset disposal companies, which focuses on how the company processing the equipment ensures that the asset, and therefore the data, is managed and protected throughout the process until the data itself is sanitised. It is working with partners like Stone Group to bridge this huge awareness gap in education and recently launched a series of education programmes with the University of South Wales.

Steve Mellings, founder of ADISA, recently said: “Awareness of the importance of IT asset disposal is slowly increasing in the end user market; however, few organisations have formal policies in place to control the process.

“Simple but essential procedures, such as having an accurate inventory of equipment being released to a third party, are still quite a rarity. In many organisations, decisions for disposal are made in an ad-hoc manner, often by staff who don’t possess the correct understanding of the risk which is being undertaken, as the perception is that it is just another waste stream.”

Quality assured over cheap service

The increasing focus on data protection legislation and its enforcement are factors that those responsible for data should be placing high importance on.The associated commercial costs of heavy legal penalties for allowing a breach in data protection, which compromises individuals or clients confidentiality, could potentially ruin organisations of all sizes and damage its reputation in the long term.

An approach to deal with this just in financial terms can often mean business for hardware being placed with the highest bidder who may not offer an acceptable service. Companies don’t buy the cheapest firewalls or antivirus solutions so why should they settle for the cheapest or no-cost disposal service? The data is still the same.

Mellings supports this: “There is no question that the service provider market is maturing, with the number of professional and ethical companies increasing, but this market is under huge pressure as there is still a reluctance to pay for the service itself. With the cut throat nature of this market space there is always another company around the corner happy to take a risk and collect and process for free.”
ADISA is an advocate of two phase engagement. First, high quality service controlled by a contract /SLAs and a sensible pricing structure; then phase two, a fully transparent revenue sharing strategy where the full upside of the equipment residual is shared. In most situations this will see a cost positive return to the end user whilst maintaining a high quality data destruction service.
Organisations should not make disposal decisions purely based on the financial returns offered for their redundant IT equipment. They are responsible for the safety both online and offline of staff and customer information, and this extends to the data held on electronic equipment even when no longer in use. Choosing to dispose of IT via anything less than quality approved service providers is negligible and poses an unnecessary risk.
Those looking for IT disposal services should ensure their chosen provider can demonstrate compliance with recognised security standards such as ADISA ITAD and ISO 27001, and that the data wiping/destruction methods employed are suitable for the classification of data and media type. A visit to the provider’s facilities should also be considered to verify the process and security.
Data wiping which is performed by software that has been tested and approved to a national technical standard such as CESG, will provide secure wiping of data. There are many products available online which do not offer the same assurance and are unproven. As an organisation you should also ensure that the proposed data wiping software is suitable for the type of media you require wiping.
Conclusion
Ultimately, and legally, the responsibility rests with the organisation from whom the assets and data originated. Whilst the responsibility for the security of the data is transferred to the disposal service provider on physical receipt, liability will still rest with the organisation if due diligence has not been applied in selecting that provider.
It is clear that the absence of IT asset disposal policy by public sector organisations is no doubt the result of eternal struggles to reduce costs, which has placed responsibility with unqualified individuals. It is, however, more necessary than ever that such oversight is eradicated and policies put in place to ensure security and data breaches are a thing of the past.
Martin Ruston is group compliance manager at Stone Group

Topics