In today’s data-driven economy, organisations invest heavily in cybersecurity, compliance and digital transformation. Yet, one critical vulnerability continues to fly under the radar: the security risks associated with retired IT assets.

While leaders rightly focus on cybersecurity, as a frontline data protection measure, the conversation about IT Asset Disposition (ITAD) is often an afterthought. It shouldn’t be. True data protection and operational resilience require ITAD to be an integral part of your strategy. After all, your reputation and compliance depend on it.

Recent research from Iron Mountain and Foundry* reveals a persistent disconnect. While many leaders acknowledge the security risks of retired IT assets, few are allocating the necessary budgets to address them. The research shows that 56% of IT leaders recognise the exposure risk from end-of-life hardware. Yet, fewer than half ranked it among their top three data protection priorities, and most allocated less than 5% of security budgets to it.

There are three interconnected factors shifting ITAD to the forefront of business strategy in 2025: privacy, risk and sustainability. When we look at privacy, the regulatory landscape is growing tighter and accountability is moving up the chain. For instance, Australian Privacy Principle 11.2 places a clear obligation on organisations to ensure that personal information is destroyed or de-identified when it is no longer required - and that includes the data from old laptops and network equipment. In regulated sectors, rigorous lifecycle controls for decommissioning and disposal are no longer optional - they’re an expected standard.

Beyond legal obligations, the financial and reputational risks are simply too high to ignore. A breach linked to improper disposal can be extremely costly, with average impacts estimated in the tens of millions of dollars. The fallout isn’t just financial; it erodes trust with customers and brings intense scrutiny from boards and regulators. It’s easy to overlook ITAD because it’s not the most visible part of the technology stack, but it is one of the most consequential.

Finally, sustainability is an undeniable part of business conversation and corporate reporting. As environmental, social, and governance (ESG) reporting requirements are phased in, a strong ITAD program is becoming essential for compliance. It directly helps us track and reduce emissions, especially the waste generated in operations that falls under Scope 3. It also supports key circular economy goals, promoting the reuse and remarketing of assets and the recovery of materials. As these disclosures mature, fluency in ITAD becomes a critical capability for any business leader.

What steps can Australian businesses take to lift ITAD readiness? In a complex landscape of new regulations, evolving risk, and growing ESG requirements, secure ITAD is no longer a footnote - it’s a critical control for safeguarding data and reputation.

While many leaders believe they understand the risks, the data paints a different picture. Iron Mountain’s reveals a significant 79% of executives believe they understand the risks, yet nearly half admit their actions are inconsistent. The remedy is to treat ITAD as a core enterprise risk control. A best-practice model for ITAD protects data at asset retirement, consistently enforces policy, and satisfies privacy and compliance requirements. This approach also produces the necessary records for auditors and sustainability teams, ensuring a secure and compliant process from start to finish.

A practical guide for ITAD readiness

To help leaders get started, here’s a simple checklist to assess your organisation’s ITAD maturity. It covers the three essential dimensions you should measure yourself against:

- Governance, compliance and auditability

• Is your ITAD policy documented and leadership-endorsed, with clear ties to regulation including, Australian Privacy Principle 11.2, CPS 234, and ISO 27001?
• Are roles, budgets and accountability clear, and are outcomes and value recovery consistently measured?
• Can you produce certificates and custody records for each asset within a week?

- Security and chain of custody

• Can your providers demonstrate a secure chain of custody and data sanitisation on every job?
• Is your data sanitisation process aligned to NIST SP 800-88, and is it verified to match data sensitivity?

- Sustainability and value

• Do you prioritise reuse and remarket before shredding, based on your risk profile?
• Does your ITAD program support ESG reporting, including Scope 3 Category 5 and other circular metrics?
• Are avoided emissions and waste reduction reported clearly and consistently?

If you cannot tick most of these boxes there’s a gap that exposes your organisation to avoidable risk and regulatory scrutiny.

ITAD in Australia cannot be an afterthought; it must be a core part of your data protection strategy. If your program has gaps, you are exposed to unnecessary risk and scrutiny. Together let’s make sure end-of-life device security is a priority, before it becomes the next front page headline.

Stuart Dahlenburg is General Manager, Asset Lifecycle Management, Iron Mountain.

* In Mar-Apr 2025 Foundry and Iron Mountain surveyed 317 IT-decision maker level respondents (Director and above titles in IT/ Networking/ Security, AI/ML, and Data/ Business Intelligence) from US,Australia, France and the UK working in the IT, Financial Services, Healthcare or Public Sector organisations.