IT asset disposal is a security risk CISOs need to take seriously

Asset disposal normally isn’t one of those burning topics that is top-of-mind for CISOs, yet every CISO must be able to address it when asked to describe their information technology asset disposal (ITAD) program. Lack of a program signals data may be at risk when equipment is recycled; presence of a program signals attention to data protection. No CISO wants to encounter the former; every CISO wishes to be associated with the latter, though it may be a false-positive if the program does not include an auditable chain of custody/data destruction.

Can you, the CISO, or your team in charge of the ITAD, describe how each device provisioned and issued within the company is tracked, the data on the device is accounted for, and when and how that device is removed from the company ecosystem in a way the company and its customers’ data is protected?

ITAD an identified threat vector

The recent guidance provided by the Cyber and Infrastructure Security Agency (CISA) included ITAD as an identified threat vector in its guidance on defending against software supply chain attacks. Every entity needs an ITAD program, and the program must ensure that the devices are data-free when they exit the control of the company. The harsh reality is many don’t, and among those that do, many rely on certificates of destruction and not an auditable and visual chain of custody involving data and devices. The former requires trust; the latter includes verification.

Recently the business model of WV Technologies was described in Australia’s online edition of National Cybersecurity News. They would purchase government lots of old equipment at auction, and even though the devices were supposed to be cleaned of data, operational data, VOIP configs, SD-cards, SSD drives full of data were often found. The company engages in data destruction and noted in late-May 2021 that its sales of these “refurbished” devices had dried up completely. Previously, the firm was selling “at least a container of equipment every month” to overseas buyers. They attributed the reduction in market interest to their adjustment in data destruction methodologies.

The House and Human Services Office of Civil Rights slapped Filefax, a company that had shuttered its doors with a monetary fine for mishandling protected health information (PHI). They had arranged to have medical records destroyed by a contractor, drove the records to the facility, and left it unattended overnight in an unlocked truck—good intentions with lousy execution.

Then there is the case of ShopRite, which found itself on the receiving end of a monetary fine for “failing to properly dispose of electronic devices used to collect the signatures and purchase information of pharmacy customers.” The New Jersey attorney general noted how the company had tossed the devices into a dumpster without wiping them of the sensitive data.

Miranda Yan, founder of VinPit, comments how internal controls are intended to ensure regulatory or legal compliance to a company. While Ted Barassi, a data privacy and information governance expert at FTI technology, notes how the Office of the Comptroller of the Currency fined a major money center bank due to a breach arising out of a vendor’s failure to dispose of disk drives containing customer data as part of a data center decommissioning project. (Morgan Stanley was fined $60 million by the OCC in October 2020 for the 2016 incident.) He adds that it is important that assets being disposed of be uniquely identified and tracked in a documented process and that the disposal be certified by the vendor performing the work.

While certification is important, Kyle Marks, ITAD chain of custody expert and CEO of Retire-IT, highlights how a single unsecured asset can expose an organization to ransomware or other data security threats.  He counsels that obtaining a “certificate of destruction” is inadequate, “It is nothing more than a participation trophy.” Certificates are easily printed; verification and chain of custody needs to be integral.

ITAD in-house or third-party?

The question for CISOs is not, “Do I need an ITAD program?” You do. Not only do you need a program, but your program must ensure it includes 100% of devices that are company owned, as well as those that are employee/contractor owned (BYOD) and have company/customer data resident.

The decision to build an ITAD program in-house or hire outside expertise is unique to each organization, but whichever path is taken, it must be replete with checks and balances to ensure verifiable integrity of the ITAD process and prevent any device from departing the ecosystem with data on board.