It’s no secret that data is one of, if not the most value asset to a company. The data collected has a variety of business uses that range from understanding customers to improving operational efficiency. Data collection is a double-edged sword. On one side, companies need this data to support growth and profitability. On the other side, this data in the wrong hands could be used to steal company or consumer secrets. As the custodians of that data, companies have a responsibility to protect their brand and to protect the personal data of their customers. Data protection regulations and guidelines have been created so that companies have a framework of security practices by which to follow. The biggest problem with cybersecurity is choosing what practices and tools to use. There could be no end to the expenses with an unlimited IT budget. Not everyone is working with an unlimited budget, so it’s important to choose the tools that provide the highest level of security with the most reasonable cost.
Organizations that need to meet specific data protection requirements and want to be sure that no data leaves the building would be best to implement a data sanitization strategy for their data storage devices. Data sanitization builds on the basic concept of data destruction. The problem with data destruction is that it cannot be trusted to remove 100% the data stored on a device. Data sanitization is the process of completely removing all of the data across all sectors of a drive, verifying that all data was successfully removed, and producing a tamper-proof report. The three methods to achieve data sanitization are; certified data erasure, cryptographic erasure, and physical destruction.
There are a few factors to consider when choosing which sanitization method is used for a particular media type. The major drivers for which methods to use are the confidentiality of the data stored on a device, regulatory requirements, condition of the device, and cost of the device. Many organizations use a combination of the three sanitization methods to achieve their security and sustainability goals. Considering that all IT assets have an upfront sunk cost, savvy companies use tools that allow them to reuse or sell their devices without the fear of them containing data. This way, they can recover value from depreciating IT assets and reduce their total cost of ownership (TCO).
Certified data erasure is a software based process of removing data that can detect bad drives and bad sectors on a drive. The benefit of this is that IT departments are able to quickly identify which drives are in good health and which should be physically destroyed, while creating all the the reporting needed through the data erasure software. What was previously a significant and costly liability is now an opportunity to recover hidden value.
As mentioned above, each sanitization method has benefits and drawbacks. Read our eBook on Data Sanitization Best Practices to learn more.
The amount of data the world generates daily is growing exponentially. As our society continues along this timeline of data creation, storage, and protection it is important that organizations are armed with the tools to protect themselves. Especially considering that the average cost of data breach is $3.5 million. An effective data sanitization strategy will greatly reduce or eliminate the risk of a data breach and create an outlet for businesses to recover value on depreciating IT assets. Destroying data and devices can be very costly, but with the right approach it doesn’t have to be.
The key to finding the balance between security and value recovery is to look at the process through the lens of “total return”. The key security values an organization should consider are:
• Reliability: For any data security solution, you need to be able to trust it to perform its task. There’s no point in purchasing a tool to sanitize drives it cannot guarantee that all data was effectively removed or eliminates the opportunity for all devices to be reused.
• Speed: This value is all about your time investment: Is your process labor intensive?
• Process: The journey is as important as the destination. How are you reaching your security and sustainability goals?
While each of these factors is important, another stands out as especially so: yield.
According to Six Sigma, yield is the percentage of a process that is free from defects. This concept can be applied to data sanitization in determining whether or not a chosen data removal method was completely successful. Not all data removal processes eliminate all of the data on a drive. Consider the trend in data storage density and the increasingly smaller drives and it becomes clears that the physical destruction methods of yesterday may not be good with tomorrows data storage devices.
A single ineffectively sanitized drive could have major consequences to an organization if the data stored on that device was recovered by a bad actor. Utilizing a process based approach that is able to assure complete data removal creates the opportunity for devices to be reused or resold without the risk of a data breach. If you organization relies on an ineffective or insecure process for data removal, the chance of a data breach will remain present.
Certified data erasure is the answer when considering the best methods to assure that a device is secure to leave the building without needing to physically remove and destroy a drive. Although physical destruction has its place in a data sanitization process, devices will either lose most or all value and the data cannot be accurately verified as sanitized. Certified data erasure has a built in verification step to confirm the removal across all sectors of a drive and can be further validated with a secondary data erasure validation software tool.
If the above is what not to do, then what steps should you be taking to maximize your yield rate?
• Be Informed: Ask your team or vendor what your recorded yield rates are. Locate your weak points and determine what impact they’re having on your total return.
• Negotiate SLAs: (service-level agreement) Set performance standards and ensure that you’re reaching them.
• Test First: Testing your data removal methods will ensure that you don’t experience any compatibility issues when you’re most in need of data destruction.
This covers the importance of yield, but it does not fully explain the most profitable aspect of ITAD: remarketing.
Remarketing, or reselling your decommissioned hardware, is the most impactful factor when looking to increase your total return. While remarketing is an excellent way to make extra money off unwanted resources, there is an implicit concern: How can you maximize your profits on the reselling market? Let’s examine how remarketing works and what you can do to make it work for you.
The market for used IT equipment is substantial: currently worth over $1 billion. With money like that, it’s no surprise that there are multiple ways to use the system and still make a profit. The most profitable paradigms are the Bid/Buyout and Profit Share/Consignment models, respectively. In short, the Bid/Buyout model yields less revenue but requires less of a time investment, while the Profit Share/Consignment model takes more energy, but offers substantially higher profits.
While each model works for different businesses, there is certainly a preferable model, just as there are recommended ways to go about remarketing.
Mastering the Resale
• Utilize the Profit Share/Consignment model. Because of the time investment that it requires, few businesses choose to take on this responsibility and thus leave profits for you to reap.
• Use only one vendor for exclusive products. Employing two vendors creates a “race to the bottom” and can have a negative impact on the market for service-seekers. Don’t give one vendor all-product exclusivity, but sell different categories of products to different vendors to avoid vendor-vendor competition.
• Question your vendor(s) about their marketing strategies and ensure that they’re effectively selling your products.
• Verify that you’re being paid for internal components of products. Just because your server has no market value doesn’t mean that your memory or power supplies don’t.
Where remarketing is one of the most valuable tools to improve your profits during decommissioning, RMA can be one of the easiest ways to ruin your total return.
While reselling is the norm for mass decommissioning, it’s far from the only means of ITAD. RMA, or return merchandise authorization, comes into play when returning failed hard drives in order to receive repairs or a refund. While often overlooked, RMA presents significant dangers to your data security and total return value. After all, what happens if you return a hard drive with data on it? Will your vendor provide a certificate of destruction, or do you have to trust them not to steal your sensitive information?
RMA And Total Return
• Security. As discussed in the “Yield” section, shredding drives are a danger to data security and thus harms your total return. Whether you do it or your vendor performs the task after sending you a new drive, there’s no guarantee that your data was actually destroyed.
• Finances. The warranty value of RMA drives can range from $200 to $2,500 per unit, which presents significant value. Say you have 1 million hard drives for your data center, and let’s assume a 3 percent failure rate. Your RMA warranty values will range from $6 million to $75 million, with another $210,000 tacked on for the cost of shredding each drive.
• Environmental. It’s generally accepted that reusing, rather than recycling, old equipment is the best way to reach sustainability goals. See how your environmental/health and safety teams feel about sending drives to be shredded, more than ¾ of which could be reused.
If these are the considerations to be made when planning RMA, then what should your actions look like?
Maximizing Total Return With RMA
• Review your RMA process to ensure security. Make sure that every step is well-documented and identify any security weaknesses.
• Sanitize RMA drives before returning them. This is the only data destruction method that is entirely auditable and guarantees that your data cannot be stolen and resources aren’t wasted with shredding.
These will help maximize your total return values, but the end destination isn’t all that matters. Oftentimes, it’s also about how you get there.
In the world of IT, productivity is the name of the game. Why would you waste resources protecting your data if there are ways to ensure the same protections for half the price? Let’s take a look at how you can get the most out of productivity and improve your total return during ITAD.
The productivity of your data destruction during decommissioning is determined by how effective the erasure is combined with how long the erasure takes. If the data isn’t erased then you have to shred drives, which lowers yield and thus total return. On the other hand, taking too long to destroy data can waste resources on your end. For these reasons, you should make the following considerations when finding ways to improve your productivity:
• By lowering program expenses, you can free space in your budget.
• If you reduce the time it takes to destroy data, you have more IT resources while reducing floor space that old hardware occupies. You will also be able to sell your equipment faster, which improves productivity.
• If you increase yield, you can increase revenue while improving IT sustainability.
• By accomplishing all these goals, you will improve security and thus limit your risk of suffering a costly data breach.
To end this total revenue master post, simply ask yourself one question: What could your organization do with the resources and manpower that you’ll save by maximizing your total return during ITAD
Gardner, Bill. “Cost of a Data Breach: Global Analysis.” Building an Information Security Awareness Program (2014): 15-24. Web.