This third annual benchmarking report provides information and research on security, environmental, and financial issues related to IT Asset Disposition (ITAD) and the more general IT Asset Management (ITAM) discipline.
This report was built from data Cascade compiled through (1) a December 2016 customer survey, (2) an evaluation of more than 200,000 assets processed by Cascade in the past twelve months, and (3) a review of related industry research.
This year’s report focuses on how organizations can further develop their ITAM and ITAD programs to better mitigate risk, lower overall program costs, and optimize the use of IT assets.
As a benchmarking tool, we encourage you to use the information to help understand how your ITAM/ITAD program compares to others and how you can further improve your systems to better attain your desired outcomes.
|IT Asset Management Programs|
Effective IT asset disposition begins with a coordinated IT Asset Management process. Successful ITAM strategies help organizations generate value from their IT assets and reduce risk. The IT Asset Manager is responsible for managing the disposition vendor, ensuring personally identifiable information is destroyed, and reporting asset status for financial accounting.
Cascade has found that the most effective ITAM programs involve stakeholders from IT, risk management, facilities, environmental health & safety, finance and procurement. Because the CIO and other executives of an organization can be personally liable for the improper disposition of IT assets and loss of data during disposal, it is a good idea to include them in the ITAM program, too.
Most of our survey respondents indicate they’ve operated a coordinated ITAM program for more than two years.
While there are many issues to consider when setting up and managing an asset disposition program, we’ve found that people responding to our surveys consistently rank these five criteria in the same order year after year. “Security” is always the number one consideration for people setting up and managing ITAD programs.
This most recent survey did see an increased interest in “freeing up space” and “maximizing resale value.” As the ITAM programs at organizations mature, we believe that they can focus more on the value added components of IT asset disposition and not just worry about setting up programs that mitigate risk.
In our survey, respondents indicate a slight uptick in projected investments in IT in 2017, when compared to 2016. We still shouldn’t expect the growth from a few years ago, when organizations were catching up on deferred purchases from the recession. For the past several years, more and more respondents indicate they are maintaining a steady investment in IT, which is an indication that they are likely maintaining more regular refresh programs that allow for more consistent investments in IT.
During this year’s survey, respondents indicate a more aggressive refresh rate for both desktops and laptops. In general, equipment is expected to be replaced quicker, possibly due to the need to keep up with business demands.
The laptop refresh rate plan shows a wider distribution of equipment expected to be retired from use. We are also seeing significantly more three year old laptops entering the retirement process. Laptops are refreshed more rapidly than desktops.
While it seems like smartphones are everywhere, not every worker has a business phone in their hands. Our survey shows a continued increase in the adoption of smartphones in the workplace, but less than half of workers are expected to use one for work (this is especially the case in manufacturing and healthcare industries).
Many industries are regulated by some type of Privacy Protection Rule such as HIPAA or FACTA. Firms are also audited to voluntary standards which require that the organization have a robust security policy and an effective program in place to destroy data on retired devices.
To be effective, security policies should address specific elements, such as employee training, vendor management, and data sanitization standards. A policy is an important tool for setting consistent standards throughout the organization. When enforced, the policy helps prevent data breaches and demonstrates the organization took reasonable precautions to prevent a loss of data.
We asked respondents what is included in their security policy related to ITAD. The checklist to the right lists their responses.
Every item on the checklist should be included in a company’s data security policy and program. Most importantly, employees are expected to be informed and trained on the policy. Keeping a signed acknowledgment of the policy on file is the best way to demonstrate to auditors that you took reasonable efforts to train staff, which will prevent compliance fines and should also mitigate potential data breaches.
Most security regulations require security policies be “reviewed and updated as needed,” which typically means they should be checked annually. Be sure to conduct a threat assessment against your current asset base to ensure data protection and destruction programs are current and effective.
In 2016, the US Health and Human Services Office for Civil Rights audited healthcare providers and looked for evidence of a policy.
Organizations report that they may use one or more ways to control and destroy data on their hard drives before these devices leave their premises. Over 76% of survey respondents report they perform some type of data sanitization/destruction process on their hard drives before handing them over to their ITAD provider for final destruction (this is up from 44% in 2015). Still, many continue to use less effective destruction processes like drive formatting.
Cascade recommends all organizations adopt appropriate methods of media destruction based on the NIST 800-88 Guidelines for Media Sanitization and consistent with their tolerance for risk. This may include performing some sanitization/destruction of media at your facility, setting up a secure chain of custody of the media to the final processor, and assuring that all data are properly destroyed and accounted for by the processor.
Special Media Sanitization
Different technologies are required to destroy data on Solid State Devices (SSD) and flash media in many tablets and smart phones. Our survey indicates many firms are still looking for processes to sanitize these media and responses are virtually identical to last year’s survey, though this is the first year a majority of respondents have sanitization programs in place.
Illegal disposal now attracting regulators.
Over the past two years, the Basel Action Network (BAN is an nonprofit environmental watchdog organization) placed electronic GPS tracking devices (see top photo) into 205 old printers and computer monitors and watched where they traveled across the globe. These electronic devices made their way through 168 different recycling centers across the U.S.
Over 45% of these companies were part of a recycling chain involved in shipping the tracked electronics off shore where BAN was able to see some of them firsthand (see second photo) in illegal scrap yards in Hong Kong and other developing countries.
MIT put together an animated website showing the overall movement of the tracked devices. It’s likely these GPS trackers will continue to be used in the industry to hold recyclers accountable.
BAN also secretly placed a tracker in an LCD monitor dropped off at Cascade for processing. While the average device dropped off in this project traveled over 2,000km to its final destination, since Cascade demanufactured the LCD on site and recycled the tracking device remnants with steel, it only traveled 2 km to its final destination - the shortest trip of any device! We process locally and responsibly!
Low recycling values create challenges
2016 was a tumultuous year in the ITAD and e-scrap industry. A number of firms went out of business. Global Environmental Services left behind warehouses of CRT glass in Kentucky and Texas when it filed bankruptcy earlier last year. Diversified Recycling in Florida filed for Chapter 7 bankruptcy after the e-Stewards program suspended their certification once it was discovered the company sold non-working electronics to overseas buyers and improperly processed leaded CRT glass. At the end of the year, 5R Processors, with facilities in Wisconsin, Tennessee and Georgia also left behind warehouses full of unprocessed electronics and they are under investigation by the EPA.
Also, a Midwest electronics recycling executive was arrested in December and faces up to 20 years in prison for allegedly lying to clients to generate large sums of money and using company funds for gambling and other personal expenses.
Enterprises are starting to be held accountable if they send electronics to recyclers not capable of processing these devices sustainably. There are several cases in California when firms like AT&T and Comcast have been fined millions of dollars for illegally disposing of e-scrap.
Cascade data analysis - 2016 ITAD costs
One of the biggest complaints with IT Asset Disposition programs is the cost. So how much does it cost to outsource ITAD services to a professional ITAD firm? For Cascade, the cost is dependent on what value added services you select and whether these costs can be offset by revenues generated from the resale of equipment.
While your disposal policy should dictate your security and environmental processing requirements, there are steps every organization can take to reduce disposition costs or turn this process into a revenue generator.
Companies that maintain a regular 3-4 year refresh program, allow for the resale of reusable equipment, and maintain their equipment while in use, will generally see most (if not all) of their disposition costs covered by revenue offsets.
Partnering to increase value
Cascade actively collaborates with our customers to improve resale recovery values and decrease their overall costs. Cascade and our customers work together to quickly get these unproductive assets refurbished and sold before they lose any more value. Items are handled in a way to preserve their resale price and reduce damage. Cascade technicians repair and rebuild items to resellable condition when feasible. Passwords and iCloud access privileges are identified and cleared to allow for resale. These activities, and an aggressive and robust resale program, have allowed Cascade to reduce the overall net costs for our Safe & Sound ITAD services year after year.