A huge amount of office productivity devices – including desktops, laptops, servers and handhelds – many with sensitive data on them, are gathering dust in vacant employee cubicles, stockrooms or desks.
Pat Beemer, IT director for Seattle Lighting, has a lot of orphaned computer hardware and unused software licenses on his hands — the result of what he calls “serious” layoffs at the company.
“We’re scratching our heads [wondering] what to do with them. Some of these PCs had sensitive data on them,” he said. “Most of the PCs are old, so they can either be resold or destroyed, but how do we warehouse the others?”
Seattle Lighting is not alone. The question of what to do with unused IT equipment is a rapidly growing problem for many companies hit by the recession and the accompanying layoffs.
Countless desktops, laptops, servers and handheld devices are lying around — often with sensitive data on them — gathering dust in cubicles, in stockrooms or on vacant desks.
At the same time, software licenses, notoriously easy to lose track of, are also piling up.
From the beginning of the recession in December 2007 through February 2009, 4.4 million people had lost their jobs, according to the U.S. Bureau of Labor Statistics.
In the fourth quarter of 2008 alone there were 3,140 mass layoffs around the country resulting in 508,859 lost jobs. In January, another 2,227 mass layoffs occurred involving 237,902 workers.
“Let’s say half of those [laid off] are knowledge workers,” said Forrester Research Inc. analyst Peter O’Neill. “A knowledge worker usually has a copy of Microsoft Office, so you can make a direct correlation” between unused software and laid-off workers.
More than one in five businesses that have had software audits are holding on to unused software, also called shelfware, according to a soon-to-be released software budget survey from Forrester.
And, only 35 per cent of the 776 U.S., European and Asian companies that Forrester surveyed between December of 2008 and February 2009 had even been audited by a third-party provider, O’Neill said.
That means the percentage of companies with shelfware is likely higher than the survey results indicate.
“At the end of the day, I’d say almost every company… finds shelfware,” said O’Neill, who works in Germany. “I’ve seen it in Europe even more dramatically.”
Many companies have no comprehensive, well-documented end-of-life program for hardware and software — a business oversight now coming to light as the recession deepens. “That isn’t a standard business practice yet,” O’Neill said. “It definitely should be.”
Unused software isn’t the only problem. Hardware recycling firms are often working overtime to keep up with incoming hardware, the majority of which comes through the door with hard drives — and sensitive data — intact.
“Trucks are booked. Account managers are running around like chickens with their heads cut off. Schedules are tight,” said Angie Keating, vice president of compliance and security at Reclamere Inc. a Pennsylvania-based data forensics company that specializes in data recovery, data destruction, computer recycling and hardware disposal.
Keating said that while business is booming, she’s concerned that eight out of 10 computers coming in still contain hard drives, even though they were supposed to have been removed.
Many times, sensitive data is still on those drives because corporate budgets have been slashed, reducing or eliminating the trained employees needed to recycle computers properly.
“In some cases, those companies have gone bankrupt; the data is literally just sitting out there, probably sitting on eBay,” said Keating, whose company serves the northeastern U.S., West Virginia and Ohio.
“It is very frightening to me as a consumer, a mom, a health care patient. Everybody’s data is out there.”
In fact,a New York computer forensics company recently reported that 40 per cent of the hard disk drives that it recently bought in bulk orders on eBay contained personal, private and sensitive information.
Besides sending hardware to a reputable recycling firm, Keating said companies that want to dispose of their hardware in-house must have three things in place to ensure that data is properly destroyed: a thoroughly documented process, a good quality-control program and solid follow-up documentation about what was done and who did it.
“If you have, let’s say, 500 machines — and that’s a small number — coming out of service and you’ve got them stacked up, how do you know which ones have been processed and which haven’t if you don’t have a quality control program?” she said.
Simson Garfinkel, an associate professor in the department of computer science at the Naval Postgraduate School in Monterey, Calif. agreed, emphasizing that an end-of-life program must include documentation. But it doesn’t have to be expensive.
“A lot of people say that it’s technically difficult or even impossible to overwrite the contents of a hard drive,” Garfinkel said.
“This is not true. There is freely available software which does a great job. But you need to run it, and then you need to track which drives you have erased and which you have not.” One example of free software to handle the task of erasing drives is Darik’s Boot and Nuke, or DBAN.
Still easier, Garfinkel said, is “to just punch a hole through each hard drive and be done with it.”
Laura DeBois, an analyst at research firm IDC in Framingham, Mass., said that besides physically shredding hard drives and mobile devices, companies can simply encrypt a drive and throw away the encryption key.
They can also electronically “shred” the data by overwriting it using hard-drive-wiping software approved by the U.S. Department of Defense or the National Institute of Standards and Technology.
Using a degaussing machine to eliminate a hard drive’s magnetism, and thereby destroy its ability to store electronic data, is another method. But Keating said companies often use tape drive degaussers on hard drives, and that doesn’t guarantee erasure.
“It doesn’t have near the power necessary to get to the inner workings of a computer hard drive. And, with no quality control program, how do you know? A degaussed hard drive looks exactly like one that hasn’t been degaussed,” Keating said.
The other option is to simply keep the hardware and warehouse it until better economic times roll around, DeBois said.
“Overall, IT is facing strains and pressures. I think one thing that could happen as budgets compress is that extending maintenance contracts for the more expensive systems will become more popular. An administrator of a large disk storage system with a [three-to-five-year] refresh cycle might err more toward the five-year than three-year end.”
Seattle Lighting, which has stores in nine locations in the Northwest, has just begun to look at how it will implement an end-of-life policy for hardware, according to Beemer. Most of the company’s sensitive data resides on centralized servers, and for hardware without a home, “most likely we’ll run an eraser tool on hard drives,” he said.
A bigger problem for Beemer are the hundreds of software licenses orphaned by the layoffs. “We’re aggressively asking our vendors for renegotiations,” he said. “In some cases they do, but others won’t.
That goes across the board for the enterprise in general, including lease negotiations.”
Garfinkel said companies in that situation should simply begin migrating to open-source software, “rendering this issue moot.”
According to Forrester’s O’Neill, vendors that would never have considered renegotiating a software contract two years ago have softened and are likely to rework deals to keep their customers.
“This year especially [software vendors] are highly dependent on maintenance… and that’s dependent on the relationship with customers,” he said.
“Even Microsoft these days probably doesn’t feel that safe. The threats building up for Microsoft Office around the cloud and service offerings are very apparent. While the last 12 months of thousands of layoffs… translates into additional shelfware being created. I’m not sure companies have even reacted to it yet.”