This 6th annual IT Asset Dispositon Benchmarking Report provides information and research on security, environmental, and financial issues related to IT Asset Disposition (ITAD) and the more general IT Asset Management (ITAM) discipline.
As a benchmarking tool, we encourage you to use the information to help understand how your ITAM/ITAD program compares to others and how you can further improve your systems to better attain your desired outcomes. Information contained in this report was generated from:
- Survey Results Cascade’s annual benchmarking survey polled U.S. enterprises collectively representing over 250,000 employees from 20 different industry segments.
- Processing Data We evaluated more than 560,000 assets processed by Cascade for IT asset disposition in 2018 and 2019
- Market Research ITAD research and industry trend analysis
|IT Asset Management Programs|
Creating an ITAM discipline
Effective IT asset disposition begins with a coordinated IT Asset Management process. Successful ITAM strategies help organizations generate value from their IT assets and reduce risk. The IT Asset Manager is responsible for managing the disposition vendor, ensuring personally identifiable information is destroyed, and reporting asset status for financial accounting.
Cascade has found that the most effective ITAM programs involve stakeholders from IT, risk management, facilities, environmental health & safety, finance and procurement. Because the CIO and other executives of an organization can be personally liable for the improper disposition of IT assets and loss of data during disposal, it is a good idea to include them in the ITAM program, too.
Most of our survey respondents indicate they’ve operated a coordinated ITAM program for more than five years.
What drives ITAD decisions
While there are many issues to consider when setting up and managing an asset disposition program, we’ve found that people responding to our surveys consistently rank these five criteria in the same order year after year.
Security continues to be, by far, the most important criterion for disposing of IT assets. Over 94% of survey respondents said it is critical in their decision making, with the remainder saying it is very important. Clearly a secure disposal solution is essential to these organizations.
Disposal costs became a much less critical factor in choosing an ITAD solution and continues to trail risk concerns. Even though retired IT assets generate significant resale value, this is seen as the least important factor when making disposition decisions.
Trends in IT hardware spending
Most organizations plan to spend about the same on IT hardware each year. In this year’s survey, 23% of respondents indicated their organizations plan to spend more on IT hardware in 2020, compared to 22% which planned to spend more in 2019. For the second year in a row, significantly more organizations (from 6% in 2018 to 13% in 2019 to 20% in 2020) plan to trim their spending in future years.
The industries starting to cut back in spending are from the healthcare, financial and manufacturing sectors. This graph displays answers to the forecast spending question from the past six annual surveys.
Moving to the cloud
While many companies are moving some or all of their application hosting to the cloud and third party providers, almost 70% of the enterprise clients surveyed still maintain their own data centers or enterprise servers. Forty-five percent house data center equipment in co-located facilities. Our survey finds that over 39% of respondents will either expand or maintain their investments in their own data centers, while 34% plan to decrease investments in their data centers as they move more hosting to third-party providers.
Longer refresh rates
Respondents are now refreshing 46.4% of their desktop computers every 4 years or less, compared to 51.7% in 2019. For the last four years, average desktop refresh rates have lengthened and organizations are holding onto these devices longer. Laptop refreshes also lengthened this year with 64.3% planning to replace these devices every 4 years or less, compared to 67.2% reporting a 4 year or faster refresh in 2018.
Reviewing and updating policies
Most security regulations require security policies be “reviewed and updated as needed,” which typically means they should be checked annually. In fact, it is recommended that industries regulated by privacy protection programs like HIPAA, FACTA or PCI-DSS should review related security policies annually in order to stay current with changing regulations.
In addition, the types of assets an organization supports and the way they are used by an organization is evolving on a regular basis and may impact the policy. It’s a good practice to at least review the policy once per year or whenever major changes take place.
In this year's survey, over 88% of respondents (up from 75% the previous year) indicated their organization has a policy in place that addresses how IT assets are to be retired. Privacy regulations require all organizations to adopt a security policy that manages security risks that arise from the multitude of ways data may leave the organization.
Training to security policies
These policies need to be regularly reviewed to ensure they cover new products generated by the organization, and must also capture all the ways these products, and the data on them, may leave the organization.
About two-thirds of organizations reviewed their policy within the last two years. More than one-quarter of respondents had either never been trained on this policy or weren't aware of a training on IT asset disposal policies for the organization.
Including the essentials in your policy
We asked respondents what is included in their security policy related to ITAD. The checklist to the left lists their responses.
Every item on the checklist should be included in a company’s data security policy and program. Most importantly, employees are expected to be informed and trained on the policy. Keeping a signed acknowledgment of the policy on file is the best way to demonstrate to auditors that you took reasonable efforts to train staff, which will prevent compliance fines and should also mitigate potential data breaches.
Managing data security
Overall, more organizations are taking more steps to secure or sanitize their data before handing over media to a third-party for processing and further sanitization.
Compared to the previous year, 24% more organizations are now encrypting their drives.
Onsite sanitization practices could be improved, since the 3-pass DoD wipe is outdated and formatting drives is not effective at eliminating data.
Cascade recommends all organizations adopt appropriate methods of media destruction based on the NIST 800-88 Guidelines for Media Sanitization and consistent with their tolerance for risk. This may include performing some sanitization/destruction of media at your facility, setting up a secure chain of custody of the media to the final processor, and assuring that all data are properly destroyed and accounted for by the processor.
Special Media Sanitization
We also ask people if they have the capability and take the time to sanitize data from SSDs and flash media devices.
Different technologies are required to destroy data on Solid State Drives (SSDs) and other flash media. We continue to see an upward trend in organizations developing processes for sanitizing these devices internally. For the first time in our survey, a majority of organizations have a process to destroy data on SSDs, but that leaves many others without a defined solution to this challenge.
Since different methods and tools may be needed to perform a data sanitization on these devices, many companies are limited in their ability to successfully perform these data sanitization processes. It’s different from wiping a hard drive.
While Cascade is able to perform these data destruction processes consistent with NIST 800-88 Guidelines, it’s important for all organizations to be able to address data security concerns on these media whenever they are redeployed in the organization or potentially sent back to a phone carrier at the end of their use.
An important part of an asset management program is the tracking of assets.
This year’s survey shows that the types of assets organizations manage and track are growing. Almost all respondents say they track their servers, desktops, and laptops.
Mobility devices gained the most this year. Over 82% of organization reported tracking all or some of their tablets, compared to just over 70% from last year’s survey. Smartphone tracking increased from 43% to 66% overall.
Internet of Things (IoT) devices were rarely tracked last year (31% of organizations tracked some or all of them in 2018). This year, as more of these devices were deployed in the field, over 48% of organizations reported tracking IoT assets.
Tracking data bearing assets to the point of final disposition is a requirement of privacy protection regulations. It is also an essential risk mitigation strategy. This is essentially the critical role of the IT Asset Manager. Assets need to be tracked throughout their use in an organization to mitigate security risk, manage licenses and the value of the assets, and ensuring the assets are productive.
When an asset isn’t tracked, you won’t know if it goes missing. Organizations needs to answer the question, “what is the risk of not knowing when an asset is lost?” to help determine the level of effort and investment to accurately track the asset until final disposition.
Data sanitization options
There is plenty of precedent supporting electronic sanitization in conformance to the NIST 800-88 Guidelines as an acceptable process for effectively eliminating data on storage media. If an enterprise needs to convince its security team to allow for electronic sanitization of reusable media, it can point to established security policies from regulations and high security minded organizations that have already adopted this as a standard.
Environmental benefits of reuse and recycling
Cascade and our clients collectively diverted more than 4.2 million pounds of electronics from landfills in 2019. Refurbishing and reusing these devices provides the greatest environmental benefit, since it reduces the need to mine raw materials and expend tremendous amounts of energy to produce a new electronic product. The amount of devices reused by Cascade in 2019 grew over 35% compared to the previous year.
Cascade also demanufactured end of life electronic equipment into sixty-three distinct material streams for recycling and reclamation. By separating materials into shredder and furnace ready product, we can improve recovery rates and reduce the amount of waste throughout the recycling process.
In 2019, 84.4% of all material collected was either reused or recycled into a new raw material by Cascade and its downstream partners. Typically, shredding operations only achieve a 50% recovery yield.
Shredding drives is a waste
Enterprises have significant economic value present in hard drives that are ready for retirement. It is important to consider balancing data security concerns against the return on the sale of these drives. Given the maturity of the data sanitization software solutions in the market today, there are many effective ways to manage the risk of hard drive disposal.
A study published in 2019 by iNEMI found that the reusing a drive saves 352 times more CO2 compared to recycling the drive. For Cascade customers, the average net value return of reuse vs. recycling is about $5 - $10 per drive.
Learn more about this topic from an article published by Cascade in November 2019.
Trade and tariffs impact e-recycling in 2019
Tariffs and trade disputes are directly impacting the e-scrap industry, causing financial and processing challenges throughout this sector. Import restrictions on recyclable plastics started in China in 2017 as part of its “National Sword” initiative that was a response, in part, to the high volume of contaminated waste mixed into imports of recyclable materials. Once banned in China, many operators set up new processing facilities in other Asian countries to absorb the diverted plastic stream.
The influx of material quickly created an immense burden on these countries, causing Vietnam, Malaysia, and Thailand to subsequently enact bans on e-scrap plastics and other waste materials.
Import tariffs are also increasing costs on the recycling industry by raising prices on processing materials and supplies often sourced abroad.
Given all these changes, it is essential to know where your materials go and whether your processor complies with all international trade laws. Otherwise, the materials may end up in the wrong hands or be rejected and shipped back at a great cost to all involved.
Read more from one of Cascade's 2019 newsletters.
Best practices for enterprise mobile device disposition
For the last decade, workforces have been revolutionized by mobile technology. The IT Asset Manager’s role has been critical to its success. Selecting devices, contracting with carriers, shipping thousands of individual units, managing telecom expense, running security software, and enabling usability tools are just some of the critical tasks they undertake. So why are most trade-in solutions still focused on consumers?
The scale and criticality of properly operating a mobile asset management program at an enterprise should guide new designs to disposition solutions.
That begins with mitigating risk through proper accountability (from a security and environmental perspective) with the vendor managing the disposition of the devices. A contract backed up by vendor certifications helps.
It then seeks to return greater value by protecting assets from damage when handling and shipping the devices to the vendor for further processing.
Finally, it allows for the vendor to coordinate with the enterprise’s mobile device management tools (e.g., Find-my-iPhone and Samsung Knox) to securely unlock units so they can be resold for value recovery once all data have been sanitized.
A conversation with a mobile carrier about smart phone retirement
This is a real message dialogue between one of the top four U.S. carriers and a Cascade representative. Similar conversations took place with other phone carriers.
These exchanges illustrate that phone carriers are not taking responsibility for the destruction of data on your old phone. Their primary focus is with selling and supporting new phones.
Who clears the data on phones?
In our survey, we asked how many enterprises have an internal process in place to destroy data on their mobile devices. While the percentage of organizations clearing data on phones is improving, nearly 40% of organizations reported they do not have a process to clear data on their phones when disposing of them.
Tracking resale values of second-life phones
Pound for pound, smart phones and tablets in working condition generate the highest resale value of all product types refurbished by Cascade. The graph to the right shows the average sale price of all generations of resold iPhones handled by Cascade the past three years. In the case of an iPhone7 with 128GB of memory, those devices were originally released in September 2016 for $869. Eighteen months later, their resale value dropped to around $300 each and in September 2019, they’re worth about $80. On average, these devices lose between 6 - 7% of their value per month.