For corporate executives and IT managers, this could be the most important article you will read this week. In a recent event with corporate risk managers, I warned executives of the lurking risk of improper IT Asset Disposal.
I drew on my 18+ years of experience in IT hardware lifecycle management (many of those spent at Tarsus Dispose-IT) to highlight a concerning trend: corporate executives seem remarkably unaware of the large-scale ‘looting’ of redundant corporate IT assets by staff, which goes largely un-noticed, most especially in big corporations.
It is not only the monetary risk that is significant, but the plethora of other risks that this exposes the organisation and its directors to.
Allow me to outline some of the risks and realities of ignoring this disturbing trend.
IT hardware that has been refreshed and fully depreciated is often overlooked by the CFO or CIO. It sits in store-rooms, warehouses and cupboards where the expense of implementing proper controls often outweighs the value.
Whilst it sits dormant with little value to the organisation, it carries real street value, and it doesn’t take long for employees handling it to realise they can benefit, personally, from it.
This is endemic worldwide, but it has become a massive issue locally that Dispose-IT has gleaned from our three years of experience of working with SA corporates in the IT Asset Disposal space.
The theft risk
Even with formal processes, the theft of hard drives and memory from decommissioned equipment is going un-noticed. These hard drives and memory are commodity items, easy to re-sell on online platforms, or simply used to upgrade a home PC.
A hard drive sold for cash may well contain customer data – these small items are easy to conceal and remove from the company. Redundant equipment store-rooms experience major shrinkage, with values getting rapidly wiped out while the kit lies dormant.
The risk of losing data
Hard drives, flash drives, printers and other devices store information. If data is not properly removed, someone can access the data using undelete software available freely on the internet. Loss of client data can expose the company to huge fines, and lawsuits, not to mention massive reputational damage.
Many corporate executives are still unaware but… it only takes one stolen hard drive with sensitive client information in the wrong hands, to destroy the reputation of a giant corporation.
In a case in the UK, over 3,000 patient records, including 2,000 related to children, were found on a second-hand machine sold on an online auction site.
The longer the redundant assets sit, the greater the risk of theft.
The environmental risk
The valuable components of IT assets are often stripped of value by supposed e-Waste companies and the balance of the hazardous material dumped. This could easily contain a serial number or asset tag linked back to the company.
The statutory risk
Losing customer data will carry potential fines and imprisonment for directors under the POPI Act, as will reckless disposal of hazardous e-Waste. Contracting it out, does not eliminate liability where organisations have failed to take reasonable care.
E-Waste is often handed over with promises by bakkie-brigade vendors with a fancy website, and corporates have not done a site inspection to see if the vendor has a facility capable of processing and managing these risks.
The corruption risk
Disposal of IT assets is an area where the risk of corruption is high. This is endemic worldwide, and a major problem in South Africa too. Employees sell or give away company assets that are destined for disposal to benefit themselves or another person.
This is a criminal offence. This is often overlooked as the assets have been removed from the asset register, or fully depreciated.
As it often goes unnoticed for years, this begins to breed systemic looting of assets (both IT and other) with the potential of yielding millions of rands over time for the corrupt individuals, whilst exposing the company to massive risk.
Depreciating risk
Redundant assets carry value. The longer they sit, the less they are worth. The sooner you dispose, the greater the value you extract.
Some tips
Here are a few tips I’ve picked up for making sure neither you, nor your company, fall victim to any of this:
- Understand your exposure:
- Where is your current hardware ending up?
- Do you have proper record keeping?
- How is your organisation being remunerated?
- Who is managing it?
- Have your vendors due diligence been checked?
- How certain are you that data risk on storage devices is being managed?
- Implement immediate and accurate recording of disposals: Ensure every asset and storage device is recorded on decommissioning and disposal. One of the first ways for someone to cover their tracks is to allow unrecorded asset disposals. The lack of a proper trail makes it harder to uncover.
- Begin implementing proper asset disposal processes. Do not leave this unmanaged to a single person.
- Begin the process as part of IT hardware decommissioning or refresh. While it sits internally it incurs expense of human resources, storage space, insurance. It also devalues rapidly and increases risk.
- Mitigate and outsource part of the risk. Organisations usually do not have the secure storage, logistics and resources to focus on redundant assets. Consider outsourcing services to ITAD service specialists – the reason they exist is that this can only be viably managed with economies of scale. 3rd party disposal vendors have entire businesses and warehouses designed to manage and take over this risk, and extract value.
- Use reputable vendors. Conduct proper due diligence on your disposal or e-waste vendor. Most importantly, do a site visit and scrutinise their processes.
Tarsus Dispose-IT is a specialist IT Asset Disposal company in partnership with Go Rentals that assists local and multinational clients to be compliant with the associated risks.
Head over to the Dispose-IT website if you’d like to find out more about the company, or contact us about your own IT asset disposal concerns.
Evan Berger is the CEO of Tarsus Dispose-IT