E-waste is a growing problem, but the need to keep data secure prevents many businesses from recycling their tech. Is there a way to do better?
In 2019, 53.6 million tonnes of e-waste were generated worldwide. And the problem is getting worse. E-waste, a term that includes discarded electronic and electrical devices of all kinds, has increased by 21 per cent over the past five years. Much of this is consumer waste of course, but plenty comes from businesses that are under growing pressure to adopt more sustainable practices.
Security versus sustainability
Speaking at a teiss virtual roundtable, Phil Vaughan, Blancco’s Director of Sales UK, told an audience of IT leaders from the financial services sector that many businesses are concerned about recycling devices, whether staff laptops or servers, because of the risk of a data breach. If the data has not been properly removed from those devices, then sensitive data could end up in the hands of the new owners.
Therefore they typically destroy the devices completely, often in a specialist shredder, rather than risk any data falling into the wrong hands. “We want to minimise customer harm,” said one attendee, noting that the need to increase sustainability sometimes conflicts with demands for security and resilience.
Often, however, an overabundance of concern for security is not the reason that devices are destroyed. For a lot of businesses, it’s just quicker and cheaper to destroy equipment than it is to ensure that devices are properly wiped and put back into use within the organisation or somewhere else. “The amount of time it takes to wipe a device is a challenge, especially if you are under pressure to redeploy devices quickly,” said one attendee.
Relying on third parties
Not every organisation represented at the briefing destroys devices, though. Some outsource the process to third parties, who either destroy the devices for them or wipe and recycle them. The recycled devices are either sold or donated to charity, depending on the third party in question.
Other attendees said they were able to reduce the number of devices they needed to dispose of by using more cloud services. Using cloud storage and virtual machines means it’s possible to work on computers without storing any data on them. “Most users can’t save to their hard drive at all,” one delegate said.
Both of these solutions simply pass the problem elsewhere, however. Any kind of third party, whether a cloud provider or a company that handles data destruction, must be vetted and managed. Due diligence has to ensure that these companies have appropriate processes in place for destruction of data. Some suppliers have their own certification, one attendee said, so if the certification process is thorough then it’s possible to rely on that to ensure the company is following good practice.
When it comes to vetting a cloud supplier, one attendee said that he would want to see the data centre. He said he would always ask what happens when a disk fails. He would want to know that the disk would be removed promptly and destroyed on site with certification linked to the asset in question.
The threat of fines
Corporate social responsibility (CSR) reports are increasingly likely to make reference to equipment disposal, attendees agreed, though most said that their company did not yet make it a focus. Reducing air travel or cutting plastic in the workplace are still more likely to be a CSR focus than recycling devices. As this begins to change, it is possible that the balance between sustainability and security will change slightly.
It would have to change a lot to offset the potential downsides of a data breach, however. Although the financial services sector is highly regulated, attendees said that it isn’t regulation specific to their sector that drives the focus on data security. They are under scrutiny from the FCA and must satisfy regulations such as Dodd Frank and MiFID 2, but all agreed that GDPR is a far bigger concern, both in terms of reputational damage and the potential fines that could result from a breach. Companies want to do everything possible to minimise that risk.
Nevertheless, there is still scope for businesses to take greater control of data removal by doing it in-house, which would allow them to extend the life of their equipment or to meet CSR objectives in other ways by donating equipment to charity. As it stands, though, it seems that IT leaders would need to be convinced that this could truly be managed in a light-touch way and would not be a drain on their resources.
One thing is for sure, the challenge of e-waste is growing, and businesses will increasingly be expected to demonstrate that they are doing their part to minimise it.
Visit blancco.com to discover an alternative to the physical destruction of assets, in a cost-effective, secure and eco-friendly manner