Enterprise organizations own and cycle through an incredible number of devices – passing smartphones and laptops off from one employee to the next until, eventually, the piece of technology becomes obsolete or needs to be replaced. Any organization with an eye on the bottom line will do all it can to extend the lifecycle of these devices for as long as possible, getting all the productivity it can out of them before they become too slow, clunky and unable to perform the modern tasks required for the job.
But when you think of the amount of data that is housed on a typical enterprise device over the course of its “career” – emails, sensitive documents, personal information and more – and most of the time for several different employees at different points in time—it becomes important to think about making sure these devices are “cleaned” between each user. So, what does the process of a device being erased, repurposed, reassigned and recycled really look like? And what critical missteps should IT teams avoid to ensure all that data doesn't wind up in the wrong hands?
IT assets such as PCs and laptops typically have a lifecycle of three years, while mobile devices will last for approximately 22 months within an enterprise. Always on-the-go devices - laptops and smartphones - take far more of a beating than a desktop computer sitting comfortably in a cubicle and are subject to unforeseen accidents and damage that can occasionally require immediate replacement.
The number of employees that “own” each device really depends on the organization. Longtime staffers can use the same phone or laptop for years and could end up being the device's sole user until the technology ultimately needs to be replaced; however, the reality of today's business world is that employees are frequently coming and going. According to a 2016 LinkedIn report, “job-hopping” has nearly doubled over the last couple of decades, with Millennials leading the charge. This trend will likely continue to increase as the younger generations continue to infiltrate the workforce. Rising employee turnover rates mean that each device within an enterprise will have more and more owners as time goes on, creating an astronomical amount of potentially sensitive data that will need to be properly erased on multiple occasions.
Erasing this data is a major undertaking within any enterprise. In my experience, IT teams are typically focused on protecting the corporate data living on enterprise-owned devices once employees are done with them, while security and compliance teams are responsible for putting the proper controls in place that ensure the company is compliant with industry regulations. Meanwhile, more operations-minded IT Directors, are focused on maximizing security, compliance and productivity throughout the organization. Security and productivity are both crucial, and many different departments need to work together to form efficient policies that accomplish both.
When a computer or smartphone is ready to be handed off to a new employee, IT will most likely run diagnostics tests to ensure it is working properly and is still able to perform up to the required standards of the job. At this point, every device needs to also be put through the proper data sanitization measures before being passed along to the next staff member. This step will ensure information doesn't wind up in the hands of someone that shouldn't have access to it. According to the International Data Sanitization Consortium, “data sanitization is the process of deliberately, permanently and irreversibly removing or destroying the data stored on a memory device to make it unrecoverable. A device that has been sanitized has no usable residual data, and even with the assistance of advanced forensic tools, the data will not ever be recovered.” This could be through physically destroying the device (which would not work when looking to repurpose it, for obvious reasons), encryption or a certified overwrite of the data, known as data erasure.
Once the device has inevitably reached the end of its lifecycle within the organization, the riskiest thing you can do is to just throw it in a dumpster. Instead, a third-party logistics company, or an ITAD (IT Asset Disposition), should be contacted. The ITAD will collect the IT assets, carry out physical and software diagnostic testing and make sure that the data is sanitized through a certifiable process (ideally using both software-based erasure and physical destruction) before they are allowed a second life or are sent for recycling. The device will also be inventoried at the enterprise, creating a chain of custody that is followed from the time it leaves the organization to when it is inventoried again at the IT warehouse, all the way to the point where it is certifiably erased. This ensures that there is absolutely no data leakage throughout the process.
Oftentimes, these enterprise devices will ultimately wind up on the consumer market, which is a win-win. It's healthy for the technology industry, good for end-users and good for the environment. The last thing we want is for landfills to be filled with endless amounts of old computers and smartphones, so the more they can be properly and securely recycled through these processes, the better off we'll all be.