Does your business appropriately consider the risks of residual data on end-of-life IT assets?
Every business, small, medium, or large, should consider the risks of data theft. If you store any customer data, especially Personally Identifiable Information (PII), you can’t take the chance of it falling into the wrong hands – or anyone’s hands! Published research on cyber-attacks largely focuses on in-life assets. Security policies must not only consider in-life devices for mitigating data leaks, but end-of-life too. At the end of useful life, data on assets must be compliantly and completely wiped as the only guarantee that data cannot be recovered.
Data security and the impact of cyber-attacks
The UK Government released its updated Cyber Security Breaches Survey in 2024, revealing that 50% of businesses and 32% of charities said they’d experienced a cyber security breach or attack in the 12 months prior.
Just 31% of businesses and 26% of charities had run cyber security risk assessments in the 12 months leading to the survey.
Cyber hygiene is recommended as common prevention, including updated malware protection, password policies, restricted admin rights, cloud backups, and policies for handling phishing emails.
Conversely, the report doesn’t explicitly cover end-of-life assets. It’s also missed from the National Cyber Security Centre’s 10 Steps to Cyber Security.
There’s a reported rise in cyber attacks, with the cost of extreme losses related to these quadrupling since 2017. Increasing digitalization and growing geopolitical tensions are indicated to be factors behind this increased risk.
It’s predicted that cybercrimes will cost over $10 trillion annually in 2025 and reach nearly $24 trillion by 2027. That’s the GDP equivalent of being the world’s third-largest economy.
When so much focus is put on protecting active assets that are deployed in the field, attention to the disposition of assets can be lacking.
Exposing the gap
While in-life assets, containing the most up-to-date and relevant information, are an entry point for data breaches and leaks, e-waste is a rising source.
E-waste is the term given to electronic products, with a battery or plug, that are no longer in use. These may be discarded in landfill sites or unwanted/disused.
Factors causing e-waste are faulty products, broken or damaged goods, obsolete models being replaced, or the owner simply doesn't need it.
There are huge environmental dangers of e-waste heading into landfills. For example, computers contain hazardous materials such as mercury, lead, cobalt, and arsenic. Once the plastic shell breaks down, these substances can contaminate the soil and air.
Data-bearing or connected devices pose a risk if not properly wiped or factory reset. Residual data can be recovered or accounts accessed from linked devices.
Consider that 300 million computers are produced every year. There may be a keyboard, mouse, screen/s, headphones, and power cable to go with each. What’s the end-of-life plan for those assets? If each 300 million instances of those for the year go into landfill, that’s a huge impact.
7 million laptops, 9.17 million tablets, and 6.5 million computers sit, unused, in UK homes.
If those computers, laptops, and tablets aren’t disconnected from personal/business accounts and data wiped, all that residual data remains accessible.
Click to open in a new tab and save
Data risks
While the device and the data remain unmonitored in storage or landfill, or even unintentionally sold to another user, these aren’t being protected. It may miss vital security updates or inclusion within your security policies. Such attacks may go undetected for longer periods.
E-waste hacking
Once the data-bearing or connected device is out of your hands, what happens to it? Opportunists have begun to scour waste electronics access residual data. This is called e-waste hacking. They may use the data themselves or sell it to a third party to make money.
Discarded electronics may be accessed through inside sources or stolen, failing to be treated with the same care and attention that in-life devices receive. Less reputable waste management partners may sell used electronics for quick financial turnaround, without taking any time to wipe data.
In some cases, specialized tools and software may be used to access the information, but in others, the device just needs power to unlock all the data it contains.
With this data, the hackers can commit identity theft/impersonation, financial fraud, cyberattacks, blackmail, password cracking, extortion, corporate espionage, and phishing attacks.
While it’s more likely that consumers would discard electronics into landfills, the risk exists for businesses too. Proper disposition policies must be in place and followed, using trusted third parties if required to ensure data is compliantly wiped. Using less reputable partners may result in underhand waste management practices.
Take a moment to think about the device you’re using to read this article.
What information would someone be able to find out about you if you just handed it over to them right now?
What passwords do you have saved?
What websites does your browser remember the log-in for?
When was the last time you cleared your browsing history and cache?
What files are accessible locally or through the cloud?
Whose contacts do you have saved?
What appointments are saved in your diary?
What apps are you logged into?
All that information could be in the hands of a stranger if the device doesn’t have proper end-of-life management. Everything you’ve done while using the device to protect your data becomes completely worthless if you just hand everything over.
Consequences of the gap
Factory resetting or deleting/formatting data on assets once you no longer have a use for them may not be enough. You need absolute proof that the data cannot be recovered. Failing to cover the end-of-life management of your IT assets within your data security policies can lead to:
- Loss of Personal Identification Information. This includes bank account details, medical records, and identity numbers. Losing this type of consumer information breaks laws and regulations.
- Loss of business or proprietary information. In some cases, used hard drives have been recovered and revealed information about national security policies. For example, students in Ghana found data relating to a US defense contract when they bought a hard drive from a market. Files about the Terminal High Altitude Area Defence (THAAD) missile system were also recovered from a hard disk bought on eBay. You can suffer IP theft and loss of competitive advantage.
- Fines for not complying with data protection laws and regulations, for example, GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act). Applicable to not only theft of information online but also of the physical devices the data is stored on. Typically, the older your device, the more likely it is to be a target for cyberattacks as security updates and support decrease.
- Financial losses. Cyber-attacks could see finances directly or indirectly diverted from the business. There’s also the impact of loss of earnings caused by work delays while rectifying breaches. It’s predicted that cybercrime costs will reach $10.5 trillion annually by 2025.
- Business as usual impacts. Your time and resources will be used to locate and solve the problem of any data leak. Have a contingency plan in place so you know exactly what to do in the unfortunate event of a data security breach.
- Damage to business reputation. The reliability and overall security of the company may be affected following a cyber-attack or data breach. Your lapse in security could also lead to a supplier or customer being breached.
How to close the gap
Ultimately you must ensure that the end-of-life processing of your IT estate is treated just as securely as the in-life use. It cannot be an exposed gap for criminal opportunists to take advantage of.
It is possible to dispose of your IT assets yourself. Adhering to data security, environmental responsibility, and compliance are vital. An IT Asset Disposition partner reduces the pressure on businesses.
ITAD services cover different types of data-bearing devices and ensure that data cannot be recovered. Some solutions also enable value recovery. By extending the lifecycle of devices ahead of reuse, you adhere to a circular economy rather than a linear one, reducing the environmental impacts of technology.
After going through stringent data wiping processes, you have an auditable trail that the assets are safe to be sold on for future use.
The recovered value can be used to fund your next acquisitions or be funneled into the infosec budget. Many ITAD providers do not offer additional value uplift services, so it’s important to check before signing with a partner.
Use reputable third parties with a transparent chain of custody and certifications to verify that their solutions are delivered to industry-recognized standards.
Partner with Ingram Micro Lifecycle
If your business wants to dispose of IT assets, it’s important to choose a method that is secure, compliant, and sustainable.
By working with a reputable, certified ITAD provider like Ingram Micro Lifecycle, you can be sure that you’re in safe hands. Your data is protected, you’re compliant with regulations, and you’re doing your part to protect the environment.
Contact us today to discuss how our ITAD solutions can be tailored to suit your business needs.