Last week Arrow Electronics Inc. announced that it would be shutting the doors on its IT asset disposition service business leaving the industry dumbfounded and thousands of customers concerned with how to proceed with their day to day disposal requirements.   

Although Arrow has claimed the USA operations will remain active until end of the year, we have received several reports from Arrow’s customers that they will no longer receive disposed of assets shortly after this month. 

If you are a current customer of Arrow or otherwise depend on a single service provider for your global asset disposition services there are some lessons to take away from this as you look to source your next provider. 

The Largest vendors don’t necessarily offer more stability or security. 

Many businesses signed on with Arrow because they liked the security of working with a fellow Fortune 500 company.  Arrow actively sold these businesses a narrative that they were a more stable option than the smaller boutique providers since they had the capital and infrastructure necessary of supporting the largest customers.  Ironically in the end Arrow’s decision to end the ITAD service line is at least partly because they are such a large public company and had the need to cut out expenses from a small business unit to avoid having to repeatedly publish poor earnings reports. 

I do not agree with Arrow’s claim that they are leaving the ITAD space because it is not a sustainable business model.  There are plenty of healthy and capable ITAD providers that offer this service has their exclusive business model.  For instance, my firm IT Asset Management Group has been operating in the space for almost 20 years and we forecast continued year over year growth. 

It is important to at least consider setting up a multi-vendor option for disposition and data destruction services.

As an IT asset disposition provider I’m happy to hear our customers want us as a single provider for their disposal and data destruction needs.  However, I suggest to all of the largest customers, especially those with a significant global foot print, to consider having multiple vendors to properly cover their needs. 

Arrow is dropping out with very little notice and many customers are concerned about establishing new vendors under deadlines that large organizations worry they will struggle to meet.  By vetting and properly contracting multiple vendors to cover your disposition and disposal needs you will protect your company from your vendor leaving the market or otherwise under performing to a degree that would require a switch in providers. 

Over the years we have worked with many customers that have a huge footprint in the USA and want us to cover their much smaller footprint globally.  The most successful of these customers have leveraged our company to receive lower cost services and more competitive asset recovery value returns on their larger sites in the USA and relied on a network of regional partners to cover their smaller global offices.  For many of our clients we do also manage the international disposal network via our own substantial team of capable partners.   

The customers that have been able to remain more flexible with their approach, not only financially perform better, but are also better setup with redundancies and have avoided the stress that so many others are feeling from Arrow’s sudden announcement to quit ITAD. 

Has Arrow's closure of their IT disposal services business left you concerned with how to manage secure disposition of retired assets and media?

Our senior leadership team is offering free consultations and review of your disposition programs.

Let's have a discussion and put your mind at ease:

When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes.  If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.         

When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on.   Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.  

To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.       

Scenario:

A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets.  The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure.  However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders. 

The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return.  Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy). 

When I analyze and investigate events like this, common root causes tend to include:

1. Technician(s) failed to erase and document erasure as designed and provided in existing management system
2. Management system failed to assign accountability of such events
3. Technician(s) not properly trained or no documented training sessions found
4. Routine audit of applicable work not practiced
5. Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
6. Inadequate managerial oversight or approval system in place for data destruction and return management
7. Detailed processes and work flow procedures poorly documented or none in writing found

The client’s response to require on-site destruction of all media does not address any of the issues noted above.  The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains. 

Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive.   This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).   

Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel.  In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed.  Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.          

As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders.  When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset. 

It’s time your IT asset disposal program manager ditches a murky understanding of DoD data destruction(Department of Defense 5220.22-M) by adding a clearer understanding of the NIST 800-88 (National Institute of Standards and Technology 800-88 Guidelines for Media Sanitization).

The DoD data destruction standard does not provide the adequate specifics an organization or business will require in order to run a secure program in a real world operation. The DoD does provide broad guidelines that should be adhered to by any organization maintaining or disposing of sensitive data.

The NIST 800-88 Guidelines, however, provides a detailed roadmap for creating a data destruction program built on the principles of identifying risk, life cycle stage of media, selecting and implementing appropriate methods of destruction, verifying and overseeing success, and documenting procedures and work performed.

“We perform DoD data destruction” has been a mantra of the ITAD (IT asset disposal) industry for well over a decade. But when one pushes for more specifics from a vendor or program manager one is likely to find inconsistent interpretations of the standard from a belief that it exclusively refers to three pass binary wiping, seven pass binary wiping, to a misconception that only physical shredding and pulverization of media can achieve data security.

In reality the DoD data destruction method does have recommended standards for two step erasure of drives using a clear and binary pass overwriting. It also includes basic standards for the removal of physical identifiers, chain of custody documentation, and physical destruction of optical media. The DoD standard does not recommend any specific tools, software, machinery, or provide any types of certifications to vendors or products.

The NIST 800-88 provides a clear manual that guides IT professionals to select the appropriate tool by the life cycle, risk level, and type of media. For example the document points out that a degausser should never be used for solid state media. Since SSD media is not magnetic media the degausser would not destroy the data on the chip sets. This type of granular knowledge is a must have for every IT asset manager.

Here at ITAMG we help our clients understand the NIST 800-88 model and how to develop custom programs that address unique business, industry, and regulatory compliance requirements.  

For more information on appropriate methods and documentation of data destruction practices please review our short guide to NIST 800-88.

If your IT department generates valuable surplus computer equipment whether through a regular refresh project, office relocation, staff reduction or merger it will be helpful to understand how to bid out an IT asset disposal project to computer liquidators.

We suggest contracting a prime source for ongoing IT asset disposal services, but from time to time it may be required to get a fixed bid on excess IT assets. In this post we will be providing a few tips on how to solicit offers in a way that will fairly evaluate capable vendors.

1. Qualify a list of bidders before distributing a Request for Proposal. Do not waste time taking offers from vendors that do not meet your company’s security, environmental compliance, or risk assessment requirements. When researching vendors and compiling a list of potential bidders weed out any vendors that do not meet your internal requirements. We suggest only bidding projects to vendors with third party certifications such as ISO 14001, Responsible Recycling (R2), and e-Stewards certification.

2. Create a spec sheet for the equipment that you will be bidding out, including an accurate estimate of the quantity of machines by locations. As an example for a desktop, note the make, model, processor model, RAM configurations, hard drive type and size, and form factor. Sometimes providing a service tag or part number will be enough, but to avoid potential issues from discrepancies it is best to have all bidders on the same page at day one of bidding. For a vendor to include all shipping and packaging costs in an offer they will need to know how many units and where the units are located.

3. Create a fixed timeline to receive accurate pricing. Provide bidders with a deadline for bids and what day the equipment will be released and ready for pickup. Most vendors will have an expiration date for competitive offers. A long timeline for a sale puts the vendor and your organization at risk of a bid expiring and the depreciation of the market effecting value returns for all parties. Reduce your company’s exposure by providing accurate timelines and rebidding if the timelines are not met.

4. Make sure all service level requirements are specified at the time of bid. Clearly outline any packaging services, de-racking, wiring, on-site data destruction, or any other services that will come at a cost to your company or vendor at the time of the bid. In order to fairly evaluate vendors one needs to avoid selecting a vendor and then finding out that there are additional costs and reductions to the value back because the requirements of the equipment sale were not clearly specified at the bidding.

Following these guidelines will help you seamlessly sell surplus IT equipment.

Looking for a tool to get the most value back on your company's IT disposals?

Download the ITAMG Inventory Template Today:

Evaluating an IT liquidation provider to purchase your corporate IT equipment can be a difficult task to accomplish. There are a good deal of variables that can lead an IT manager down a path where he or she will be unable to accurately evaluate competitive quotes, incur unnecessarily high service costs, or set incorrect expectations of value returns that will not be achieved at the end of a project.

Here are some quick tips to make you aware of potential pitfalls and help you eliminate these variables.

1. Know what you’re selling. Having a good understanding and detailed inventory of the models, specs, functional conditions, and cosmetic conditions of your equipment is the most empowering tool you will have available in the process. The more details and assurances you’re able to provide to a vendor the more comfortable and competitive the solution the ITAD provider will be able to offer. Its understandable most IT departments will not have the resources to test equipment and note cosmetic issues on every machine, but if you’re aware of equipment defects and issues provide this information to your IT liquidation vendor and get an understanding of what the cost reductions will be ahead of executing the project.

2. Understand your service level requirements. Make sure to provide all IT liquidators bidding on your project with detailed information on what data destruction service level, packaging requirements, building access requirements, shipping requirements, or any other data and asset management requirements you may have. This can be particularly important when the service level will affect the value of the equipment. For example, if you choose to require a vendor to shred the hard drives from a laptop liquidation there be additional costs for the destruction services and the machines’ overall value will be decreased from removing the hard drives.

3. Set a rigid time frame for the project. The secondary markets fluctuate rather quickly and most IT disposal vendors will not be willing to hold aggressive return rates in effect for longer than 10 business days. Keep in mind that if you’re planning a project 30-90 days out to set these expectations upfront so the vendors are able to give realistic pricing that can be met. We suggest in these situations to get the IT asset recovery estimate from vendors early in the planning stage and qualify capable providers. You can then re-price the project and make final decisions closer to the release of the equipment.

Having a good understanding of your disposal inventory, conditions of the equipment, service levels required, and time frame of project will allow you to control the process and meet the expectations set with your IT asset disposal vendor.

Looking for a tool to get the most value back on your company's IT disposals?

Download the ITAMG Inventory Template Today: