Electronic devices waste ready for recycling showing data security in asset disposal

“Trust Me” – Taking a Zero-Risk Human-Centered Approach to Data Security

Data safety and destruction isn’t just a technological issue, it’s a human one as well – based on procedure and trust. So how do we build a more trustworthy process?

No company wants to be at the center of a laptop-born data scandal, but the honest truth is that data security breaches do happen, even with the best of intentions. Now just imagine the added struggles of managing, recycling or disposing of those devices during the pandemic while everyone is untethered and working from home.

Understandably, a lot of companies were caught off guard by the crisis and had to send employees to work from home without the proper security controls in place. But the consequences of this are huge. If an employee has to work with sensitive data —  the type of information that would normally be handled in a secure corporate environment – and uses a home internet connection with little to no firewall, it makes it hard to trust that the data is truly secure. As a result, those in the business of data security are living in increasingly anxious times.

To solve this, experts recommend putting more robust Mobile Device Management systems in place to give IT departments full control over remote machines, security updates and remote wiping. However, while these procedural checks and balances are important, what sometimes gets lost are the other more human, less tangible components to managing data security.

The idea of “trust” in IT asset disposition (ITAD) and data security is a big deal. That’s why industries have countless certifications to signal a level of commitment to high security standards. But as the industry learned from the Total Reclaim scandal, those certifications can lead to dangerous and incorrect assumptions that can erode trust, not build it. Never forget, the goal is not certifications for the sake of it.  It’s trust at human scale – between an employer, employee, ITAD partner and the public. And while dealing with data is a highly technical affair, at the end of the day there are always people serving as the anchor to those data systems. If we want to create effective and trustworthy systems that can even survive the game-ending scenario of a data breach, we have to go beyond certifications to foster trust at the human level.

Focus on people

You can have all the certifications under the sun, but if you don’t have the right people properly trained and following a well-prescribed process, those certifications won’t save you from a security failure. That means every employee associated with data erasure and destruction must go through initial and refresher National Association of Information Destruction (NAID) training and pass a full criminal background check.

Even then, you still have to assume that humans are ultimately going to make mistakes, so you need a failsafe solution in your systems that requires a data sanitization record to be associated with a data bearing asset before it can be put on an invoice. That way, if a mistake is made, no data can actually leave the facilities. Furthermore, if a drive fails to properly wipe, it must be flagged in the system, removed from the device and shredded before a job can be completed.  My company takes these exact precautions and they go a long way towards not only earning the trust of our clients, but in allowing those tasked with destroying the data to trust that the process will protect them as well.

These days, focusing on human scale solutions also means that you have to constantly adapt to different and changing customer needs, whether at an office, data center, or now even collecting laptops from employees all over the country. It takes constant engagement and connection with customers at multiple levels within their organizations.  At the end of the day, we are working with people and they are working with us, so it’s important to know what drives each of them and continuously cater to their needs.

No spreadsheets, no secrets

In the data safety game, trust is built daily on service delivery and maintenance, reporting, consistency and transparency – all of which instills confidence that you’re a partner that can be trusted to handle and destroy electronic assets containing sensitive data. However, it’s not enough to do the minimal level of tracking of the data destruction processes, claiming that data has been securely destroyed while holding back the details, as we learned in the recent Morgan Stanley breach.

Some companies out there are still giving basic tracking spreadsheets to their customers, which doesn’t provide a ton of confidence in my opinion.  Others have invested in tracking that’s more rigorous and designed to give everyone a detailed look into data security and destruction processes.  In a best case scenario, a full tracking and reporting platform can allow for continuous tracking. Regardless of how you approach it, the days of not tracking and reporting on assets in a secure ledger, especially data bearing assets, are over. True trust demands a higher level of transparency.

The conditions of trust are changing – everything must check out, from leadership, to financial conditions to training.  And while some will continue to lean heavily on the shortcut of certifications, the ones who will earn trust and actually build secure systems will be the ones that push things further.  Only more human-centered approaches with process-driven systems with strong checks and balances will break through, avoiding breaches and fostering trust in today’s challenging, more anxious times.