Study Suggests Possible Risks When Upgrading IT Equipment

By Mark Borkowski

Only two out of 10 Canadian organizations hire a specialized company to dispose of their used IT hardware, despite saying that data security is their primary concern, according to a new survey commissioned by IT Assets Disposition (ITAD) firm TechReset.

The study was conducted by polling firm Leger to better understand the choices being made when it comes to end-of-life equipment. Respondents were IT professionals from 301 Canadian companies employing 100 or more people and earning at least $10 million in revenue in 2017.

“The results suggest that companies and government organizations may be risking more than they realize when they upgrade IT equipment,” said Jack McSorley, CEO of TechReset.

In addition to showing that few companies hire an ITAD firm, the survey also found that almost four in 10 (38 per cent) sell their used equipment, and almost as many companies (37 per cent) give old equipment to employees. When that happens, data security isn’t always guaranteed.

Take the Guelph, Ontario for example, which parted ways with its deputy chief administration officer after a poorly sanitized device was given to a former employee this past January. It was only a flash drive, but it contained private and confidential information regarding employees, including at least 30 performance reviews of staff.

McSorley said it’s time for organizations to flip their game plan upside down and start at the end. Too many companies limit their thinking about cybersecurity to processes and practices designed to protect networks, computers, programs and data from attack. Even the federal government’s web page about October being cyber security month leaves out tips about IT assets disposition, focusing on day-to-day safety instead.

The incident in Guelph is not unusual. Credit card information, company and personal data, passwords, and tax details were found in computers being sold online that were examined by the U.S.-based National Association for Information Destruction (NAID). In a study released January 2017, NAID said 40% of hard drives examined contained personal identifying information retrieved with basic software downloaded from the Internet.

The equipment inspected by NAID reflects the millions of hard drives and storage devices that are recycled and resold by businesses annually. When specialized companies are left out the ITAD process, it takes only one poorly sanitized device to endanger trade secrets and identify thousands of clients. Given the growing use of social media by the public to name-and-shame companies that fail them, one mistake can lead to serious reputation damage and legal challenges.

And the stakes are getting higher. The Canadian government is set to pass legislation related to the mandatory reporting of privacy breaches. It posted the proposed regulations on Sept. 1 and invited the public to comment until Oct. 2. It’s now reviewing those comments before introducing the new rules. To put the government’s desire to quickly formalize rules related to data breaches in perspective, consider that the average breach in Canada cost $5.78 million in 2017. That’s according to the Ponemon Institute, which conducts independent research on privacy, data protection and information security.

Sasha Khan, EVP of IT solutions provider Jolera Inc., said companies should attempt to generate value on used equipment to help offset the cost of upgrading computers and other hardware, until recycling becomes the only option.

“Shredding hard drives, if done properly, can ensure data destruction but may not be necessary in all cases, as it has a negative environmental impact and doesn’t yield financial benefits,” he added. “Alternatively, data cleanse of hard drives meets data destruction requirements and provides a current financial benefit.”

Tax rebates are another consideration, as they can be had by donating equipment to an accredited charity. Again, that can be done safely only when a specialized company is employed to sanitize hard drives.

McSorley says decision makers should view ITAD two ways — it’s an integral part of safety and therefore the cost of doing business, and it’s an opportunity.

He cites the University of Ontario Institute of Technology (UOIT) as an example.

That school provides every student with a laptop that is upgraded every two years. In 2009, McSorley’s company, TechReset, created an ITAD policy and solution for the school to sanitize laptops. The result?

“We used industry best practices to repurpose their old computer equipment safely and securely, which provided a new revenue stream for the university,” McSorley said. “To date, UOIT has generated more than $5 million from it.”

The best way to think of ITAD as an essential service is to consider that we’re not only responsible for the digital devices we use, we’re also accountable for the information stored in them. When it’s time to upgrade our computers, tablets and phones, we have to decide what to do with their data. That’s reason enough to start cybersecurity planning with the end in mind.

Mark Borkowski is president of Mercantile Mergers & Acquisitions Corp. Mercantile is a mid-market M&A brokerage firm in Toronto: