E-waste, the detritus created by discarded electronics is surging. It is being fuelled by both an increase in Bring Your Own Device (BYOD) and consumer purchases and enterprises. As the pandemic forced Work From Home (WFH) on many companies, they rushed to buy technology for employees. It has, according to a new report from Blancco, created a rising tide of e-waste that needs dealing with. It also raises significant questions over data management as devices are disposed of.
The details of the problem are revealed in a new report by Blancco entitled: The Rising Tide of E-Waste – How Environmental Concerns and Shifting Work Patterns are Shaping Device Management Practices (registration required).
“The flood of technology investment which followed the beginning of the pandemic has created clear issues for both e-waste and secure data management,” said Alan Bentley, President of Global Strategy at Blancco.
“The switch to remote work spurred on a wave of new device purchases, but these new, widely distributed devices have left enterprises feeling vulnerable. It’s fascinating that so many businesses have implemented roles to manage the e-waste issue resulting from COVID-19, demonstrating corporate social responsibility (CSR), but also their concern around how these devices will be dealt with when they reach end-of-life.”
Getting to grips with e-waste
In 2003, the EU Waste of Electrical and Electronic Components (WEEE) rules came into force. Since then, companies and individuals have had to think about how they dispose of all electronic goods when they are no longer wanted or are end of life. It is one of several pieces of legislation designed to help deal with hazardous substances.
Most large enterprises have built how they deal with WEEE rules into their Corporate Social Responsibility (CSR) processes. Some send e-waste to certified recyclers, and others send it to charity for repurposing. Those that have mature processes have embedded this into their asset management and disposal processes.
However, having a policy and implementing it is not always the same thing. The Blancco report states: “while 44 percent of enterprises did have an e-waste policy in place for end-of-life device management, it was not yet being communicated or implemented.” It goes on to state: “The survey identifies that e-waste initiatives tend to struggle within the modern enterprise due to a lack of ownership around the communication of the policies and in their implementations and compliance.”
It is not just company-owned devices that are the issue here. Many organisations switched to BYOD some time ago. They expect employees to provide their own laptops, mobile phones, tablets, printers and other tech. This not only saves on CAPEX but means responsibility for disposal shifts to the employees. However, given that many employees are using their devices for work, it is arguable that organisations need to help employees when devices are disposed of.
Data security is a real challenge
Part of disposing of devices means dealing with any data on those devices. Scrubbing hard drives means more than just hitting delete. In terms of cost, it is often cheaper to destroy a hard drive than clean it. When it comes to personal devices, users are unlikely to think about the destruction of the drive or memory. This is another reason for the enterprise to step in.
Bentley commented: “It’s crucial that this issue is not overlooked and that these devices are appropriately disposed of. But it’s just as crucial to ensure the safeguarding of sensitive data during that process. Appropriate data sanitization might at times be overlooked as an element of e-waste policies, but it is the perfect opportunity to engage data management best practices. Because not only will this reduce environmental impact, it will also remove the risk of a data breach when disposing of devices at end-of-life.”
The problem highlighted by the survey is that 78% agreed that: “COVID-19 caused unnecessary short-term investment in technology, which will leave us at risk with data being stored on a wide range of devices.”
This raises the question, what will happen to the data? What is not clear from the survey is just how they intend to solve this. 56% say they will sell on used devices. This figure jars with the fact that 51% say that destroying end-of-life equipment is more secure than sanitisation.
So, sell or destroy? It seems that people are confused.
Who is responsible for CSR and e-waste policies?
There is just as much confusion around the communication of CSR and e-waste policies. 45% of respondents said no-one has taken ownership for the communication of current CSR policy to employees. Meanwhile, 56% said there was uncertainty on how to communicate it, and 42% said implementation of CSR is low priority.
At a more senior level, no single role seems to own either CSR or e-waste. Those responsible for e-waste policies were Head of IT Operations (18 percent), Data Protection Officer (17 percent) and Chief Information Security Officer (16 percent).
Ownership is not the same as ensuring compliance. So who is responsible for compliance? Respondents say Head of Compliance (36 percent), Legal (22 percent) and Chief Information Security Officer (11 percent). The fact that the Head of Compliance is not over 50% adds to the problem of enforcement.
Purchase or reuse?
One of the interesting sets of numbers is that of purchased devices. Companies in the US and Germany purchased more smartphones than laptops with tablets just behind in third place. In the UK, Japan and France, it was laptops, tablets and then phones. But why were companies purchasing in the first place?
Enterprise Times talked with several UK-based companies to see what they did. It seems that there were two main schools of thought. The first was to do nothing. Assume the staff all had personal devices and just given them access to company apps and data from home. The second was to redistribute all that kit sitting in empty offices – desks, chairs, screens, computers and even printers.
Where purchases were made, it was because staff had to give personal devices to children for school work. That meant they needed additional technology. Some companies with sensitive data choose to buy new devices and then cycled them through the office to add security software and apps. At some point, they will expect those devices to come back to the company and be part of a shared device pool.
Shared devices also fall foul of the need to purge data. Only 27% said that they would erase a device for reuse. Compare that to 28% who would erase for resale and 12% who would erase for recycling.
Enterprise Times: What does this mean?
Recycling electronics is a nightmare. At a business level, some companies will come in, buy a datacentre and all its equipment, and then look to monetise that. Few of these are willing to provide audited destruction of hard drives or evidence they have been erased to a suitable standard. Most assume that the responsibility for cleaning disks belongs to the company getting rid of the equipment.
For employees on BYOD, there are two options. They can try and find a local WEEE centre, but there is no guarantee the hard drives are not resold. There is little to no help from employers to clean those devices or remove storage. That means a lot of data is available when devices are resold.
Taking a device to the local tip is even less secure. Most tips will not take any electrical goods for recycling. Instead, they are thrown into a skip along with other electrical equipment. At this point, there is no control as to what happens to those devices or any data on them.
This report from Blancco is a warning shot for companies to sort out e-waste and CSR policies now. Next year, everyone is expecting to see WFH continue although more people will be back in offices. The problem of BYOD and devices given to remote workers is not going away. Unless it is dealt with now, data breaches will occur, and regulators will start issuing heavy fines.