By Oscar Michel, Masters in Journalism, DCU
AMI has published a survey among 135 senior IT professionals on July 20th finding that 32% of companies that use third-party IT retirement companies don’t get formal confirmation that their data has been completely erased. This lack of judgment can be exposed to huge fines under the impending General Data Protection Regulation (GDPR) legislation.
AMI helps organisations manage the secure retirement of their end-of-life IT, mobile and electrical equipment.
25% of companies leave end-of-life IT assets on premise for more than one year and 47% claim to manage specialist data-destruction process themselves by wiping the data or by physically destroying it.
Despite these practices, the majority of organisations accept that the consequences of data theft from a retired device would be very grave, with 77% of those surveyed stating that it would have a serious effect on their company. Of those companies, 8% believe that their company would be forced to cease trading as a result.
It also has been found that 52% send their end-of-life IT to third party specialists. 43% donate it to charities or schools as 70% of companies say they don’t recover any value when retiring old assets.
A fine up to 4% of global turnover or €20million may be awarded by the GDPR to any companies in the event of a data breach.
This will require companies to closely review supplier processes and policies to safeguard their interests. However, according to the survey results, 39% of those who work with a third-party IT retirement provider never audit the provider’s security processes.
Philip McMichael, managing director of AMI, said: “It is extremely clear from the results of this survey that Irish organisations are leaving themselves vulnerable at the end-of-life stage by failing to securely manage the retirement of their old IT assets. Companies need to establish processes for disposing of this equipment and dramatically reduce the amount of time that it spends in storage, as this increases the risk of data going missing. It also devalues the equipment, so it’s in companies’ own interest to manage this process effectively.
It’s interesting to see that so many companies claim to manage and carry out data destruction themselves as this is a specialist security process that requires advanced tools to ensure that data-bearing equipment is erased to the most stringent global standards. Unless companies have trained specialists in place using the correct software and carrying out data erasures, they should reassess their ability to carry out this process themselves and align themselves with a specialist IT retirement provider.
Those that do work with IT retirement companies need to ensure that they receive formal confirmation that their data has been destroyed, as organisations that are happy to hand over data-bearing devices without a certification process in place are putting themselves at real risk of a data breach.
Companies that work with an IT retirement specialist can benefit from the creation of a new revenue stream that can be used for a variety of purposes, such as upgrading IT equipment or even charitable donation. However, the primary focus for Irish organisations now has to be plugging the security gap stemming from current and past failings to securely tackle IT retirement.”