It's often smarter to redeploy your organization's old IT equipment than to throw it away. For example, if someone hands in their notice a few months after getting a new company laptop, or an exec upgrades their smartphone, there's no sense in retiring old devices when they're still working, and other employees might get some use out of them.
However, before you start digging around in the office storeroom and handing out the C-suite's old laptops to apprentices; it's essential to be aware that redeploying old IT equipment is something that requires the utmost care and attention. Specifically, if you don't address the security risks, there's a fair chance your organization’s most sensitive data – left intact during the transition from one user to another – might fall into the wrong hands.
There's no shortage of figures to back this up. Verizon's landmark 2018 Data Breach Investigations Report found that a rising number of intellectual property thefts are attributable to insiders rather than hackers, while 28 per cent of all insider and privilege-abuse attacks take advantage of physical access to storage media. The report from Verizon also showed that 17% of breaches were caused by internal organizational errors.
Clear, purge or destroy?
Clear, purge or destroy are the three data sanitization categories recommended by NIST 800-88 (National Institute for Standards and Technology). Most media devices have some form of ‘Clear’ function, but not all devices have a reliable ‘Purge’ mechanism. When it comes to repurposing media, ‘Purge’ is more appropriate than ‘Destroy’ when factoring in environmental concerns and the desire to reuse the media – either within the organization or by selling.
When an organization considers repurposing its media, it should take into account the associated risks. According to the NIST 800-88, “the risk decision should include the potential consequence of disclosure of information retrievable from the media, the cost of information retrieval and its efficacy, and the cost of sanitization and its efficacy. Additionally, organizations should consider the length of time the data will remain sensitive. These values may vary between different environments.”
The below figure from NIST 800-88 can assist organizations in making sanitization decisions that correspond with the security categorization of the sensitive information on the media. An organization should base its decision process on the sensitivity of the information, rather than the media type. Once an organization has decided what type of sanitization is best, the media type should then influence the technique used to achieve the sanitization goal.
NIST SP 800-88, Figure 4-1: Sanitization and Disposition Decision Flow “Information Sanitisation and Decision Making.”
So, how can you repurpose business devices without increasing your organization’s exposure to a security risk?
Start by considering the following:
Securely destroy any data before you redeploy your IT equipment
It should go without saying that before you allow one member of staff to use another employee's old hardware, you should wipe any local storage that might still contain the latter's data. You don't want a new hire to have access to your chief financial officer's unencrypted spreadsheets, nor do you want a homeworker holding on to a hard drive that for compliance reasons ought to be kept under lock and key.
Yet many organizations fall at this first hurdle. They carry out a quick reformat, install a fresh drive image, or even create a new user profile. But as we've discussed on this blog before, reformatting or deleting files isn't enough to render the drive's contents unreadable, even to freely available data recovery software.
The best way to prepare an old computer or mobile device for reuse is to use secure data erasure software, which is capable of wiping storage media to the highest industry standards without affecting its functionality.
You may need to establish a security policy for the new user
Ideally, your organization should have some form of security policy in place to cover the use of laptops, smartphones and other devices from day one. This isn't always the case, though, particularly among small and growing businesses. Other times, it's necessary to update the existing policy to accommodate changing circumstances – for example, when you're repurposing old IT equipment down through the ranks.
Let's say you plan to repurpose a set of laptops that were previously only used in the office, but will shortly be the property of a new, more mobile team. If it's not mandated in the security policy that they use strong authentication and encryption, there's an increased risk that the loss or theft of one of those devices might lead to a severe data breach.
More generally, any time you issue hardware to an employee, you should endeavor to ensure they're familiar with the security controls you use and the standard of behavior you expect.
Is it necessary to delete files within the device lifecycle?
Finally, it's important to remember that secure data erasure may, depending on the device's use, be necessary more regularly than only when a computer changes hands from one employee to another. Most rules and regulations are strict about how long an organization can hold on to customer data, so workers mustn't be allowed to keep that information on local storage after that point.
Once again, this calls for some form of secure data erasure software. Organizations have several different options as to precisely how they handle the problem, though. With Blancco Management Console, for example, you can delete files on remote machines automatically from a central location, eliminating the need for employees to carry out the procedure manually.
With this kind of solution in place, you're in a much better position to say that your organization’s most sensitive data is secure – no matter who's using your old business devices, or how they're using them.