Disposing of obsolete and broken electronic devices, or e-waste, is not as simple as taking out the trash. Heavy metals and other poisonous contaminants can leak into the environment if electronic equipment is not properly processed. Without foresight, discarded data is also at risk of unintended exposure.
Analysis of 206 respondents from Aberdeen’s “Responsible Disposal of IT Assets” benchmark study (November 2009) shows that while data protection and compliance with environment regulations top the list of e-waste concerns, the environmental issues are lagging significantly behind in terms of resources currently being allocated to address them.
In Edgar Allen Poe’s 1843 story The Tell-Tale Heart the narrator tells of the coldly calculated murder of an old man and the subsequent concealment of the corpse under the floorboards of their home. When the authorities come to investigate, he calmly satisfies them that nothing is amiss … until the sound of the victim’s beating heart grows ever-louder in his imagination, eventually driving him to confess: “I admit the deed! Tear up the planks! Here, here! It is the beating of his hideous heart!”
Electronic waste, if mishandled, can likewise come back to haunt a business long after it is dead and buried. Authorities, in the form of environmental regulations, public disclosure laws or auditors, can come knocking at any moment, investigating to uncover any misdeeds. IT or security executives responsible for the disposal of IT assets are at risk of discovery, with any improperly disposed data and e-waste the beating heart that potentially leads to their demise.
Security and Policy
Aberdeen’s November 2009 benchmark study on “Responsible Disposal of IT Assets” reveals that the top pressures driving respondents to invest current resources in responsible e-waste disposal methods are concerns about data security and environmental regulations. In other words, these are the “authorities” they currently fear most from showing up at their door — by a factor of two times more than any formal corporate commitments to sustainability or measurable customer preferences to do business with green solution providers.
The issue of data security not only topped the list of factors driving current investments in e-waste disposal, but also ranked consistently highest among organizational priorities and allocated resources. Over 74 percent of companies in the “Responsible Disposal of IT Assets” study had a strict data protection policy already in place, with another 19 percent planning to implement one within the next 12 months. When evaluating both external solution providers and internal company performance, the protection and verifiable destruction of data were the most requested, most implemented capabilities. Leading selection criteria for third-party disposal companies included guarantees for data privacy (65 percent) and insurance for general business liability (53 percent).
Concerns for data loss or data exposure are well-founded. Between Jan. 1, 2003, and Sept. 30, 2009, there were 1,136 public disclosures of data loss involving stolen, lost or disposed assets, as summarized and cataloged on www.datalossdb.org. The majority (69 percent) of disclosures were catalogued as “stolen,” with 20 percent as “lost” and 11 percent as “disposal,” with an overall year-over-year increase in the number of data loss disclosures.
Keep Encryption Simple
Stolen laptops represent the biggest area of concern, which is why in the strategic decision enterprises make between the precision of file / folder encryption (encrypting only specific files or folders based on content and pre-existing policies) and the brute force of full-disk encryption (encrypting everything on the endpoint), Aberdeen’s benchmark study “Full-Disk Encryption On the Rise” (September 2009) showed that the general trend is toward the simplicity of full-disk encryption. This trend is observable over the course of several benchmark studies in data protection which Aberdeen has conducted over the past two years, and is expected to continue.
Although the number of disclosures regarding data loss due to disposal of computers, drives and tapes has been very small (just 1 percent of all public disclosures over a period of nearly seven years), keep in mind that the “lost” category means that the data may or may not have been compromised. Like the tell-tale heart, it remains just beneath the floorboards with the potential to be exposed … thump-thump, thump-thump, thump-thump.
For this reason, it makes sense that 43 percent of respondents in the “Responsible Disposal of IT Assets” study indicated that their next move would be to better identify and track their IT assets, and to make use of this information to set appropriate disposal strategies and improve overall lifecycle management. Three out of five (58%) indicated that some manner of IT asset management solution is already in place, while 21% said that they had no knowledge at all regarding a comprehensive inventory of their existing assets. Many of the most popular strategic actions for internal improvement revolved around integrating reporting of IT asset disposal with existing asset management systems, and using those asset reports to monitor and support enhanced e-waste disposal efforts. The more precisely an organization knows the location of their IT assets, even after they are decommissioned and disposed; the less room there is for surprises with regard to data security or compliance with environmental regulations.
Keep It Clean and Green
Compliance with environmental regulations was a close second as a driver for current investments in e-waste disposal. In fact, when combined with formal corporate commitments to sustainability and measurable customer preference to do business with green organizations, three of the top four pressures driving current investments revolve around environmental concerns. Unlike data protection, however, these issues were not nearly as strongly supported in terms of the resources currently being allocated to address them. Just 20 percent of all respondents identified enforcement of compliance with environmental regulations as a leading strategy, and just 10 percent currently determine business practices based on green guidelines.
The root cause for this apparent disregard for environmental concerns may be that 42 percent of all businesses lacked an individual or team with overall organizational responsibility for disposing of electronic assets at the end of their useful lives. Current practices in accountability drive a willingness to invest in protecting sensitive data, but not on disposing a useless piece of equipment.
Not everything was bleak when it comes to environmental issues, however. More than 13 percent of equipment procured in the past 12 months adhered to formal sustainability guidelines, up from 10 percent the year before. Additionally, 48 percent of companies surveyed indicated that they would be willing to pay more for environmentally friendly products. Some companies remain skeptical, as exemplified by the VP of engineering who noted wryly that “there always seems to be infinite demand for products that haven’t yet been developed.”
Eventually, all e-waste must be disposed. One option involves certified recyclers — organizations that are voluntarily audited and certified by accredited third parties — who ensure data security and environmentally safe disposal. One in five (19 percent) of all respondents indicated that they would use certified recyclers exclusively as their e-waste solution; 69 percent used certified recyclers in some capacity in the last 12 months. More than a quarter (28 percent) of the electronic waste from all respondents was disposed of in this manner, up 4 percent from the previous year.
Participation in a take-back program offered by the equipment manufacturer or a value-added reseller (VAR) is less common, with roughly 30 percent of respondents indicating near-term intent and more than 40 percent respondents indicating no desire to participate in them whatsoever. Just 6 percent of all discarded electronics were disposed of in this manner last year, most often for a small fraction of their equipment. At the moment, it appears that these programs are best utilized as a supplement to more comprehensive e-waste disposal systems.
Aberdeen intends to conduct future benchmark research in the area of tracking and recovering assets, theft deterrence and data protection. Contact the authors for more information about participating in these studies.
Nathaniel Rowe, research associate in IT security at Aberdeen, can be reached at [email protected]. Derek E. Brink, vice president and research fellow in IT security at Aberdeen, can be reached at [email protected].