As if IT pros didn’t have enough on their plate, decommissioning hardware is another responsibility with the potential for security breaches.
How and when you dispose of old and obsolete hardware infrastructure—whether you’re closing down your business or upgrading your tech—could have serious ramifications. Tim Rawlins, NCC Group director of security and senior advisor, told IT Brew that the sensitivity of data you have written on your hardware can often determine to what extent you’ll need to go to ensure it’s protected before you throw it away.
“At a low level, just rewriting it over, three times is enough. If it’s more sensitive data you might look at fully encrypting the hard drive so that there really is nothing in there that can be obtained,” Rawlins said. “And at the highest level, if it’s got sensitive data, then you would go for physical destruction.”
Mr. Clean. This kind of data cleanup is often referred to as sanitization. Rawlins said that the need for protection varies depending on how valuable the information is and whether or not there’s a viable threat. Organizations often hold onto their assets for longer than needed, meaning that the hardware gets used past what it’s made for, leading to further attrition when it comes to data on devices and hard drives. And on top of that, there are many boxes to check, according to Rawlins.
“You need to identify the data, you need to figure out how you’re going to destroy it, whether it’s just that sort of digital destruction or physical destruction,” Rawlins said. “You’re going to record that you did it so that you’ve got a record that you can use as part of any evidence that you might need to be able to demonstrate that you’ve done that process.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
State involvement. The threat is real enough that agencies on both sides of the Atlantic are raising the alarm. A May report from the FBI detailed the risk of attackers exploiting remote access management on old routers to infiltrate systems. These attacks are a way for threat actors to go after internal information and show the threat that old hardware can pose.
In the UK, the National Cyber Security Centre has posted guidance for decommissioning hardware to avoid the security threat posed by stored data. It also lays out the steps companies should take for sanitization. “Some forms of sanitization will allow you to re-use the media,” the Centre explains, “while others are destructive in nature and render the media unusable.”
David Redekop, founder of DNS and security firm ADAMnetworks, told IT Brew that sanitization has, roughly, two main paths. First, and perhaps easiest, is to hand the work over to a trusted third-party vendor who can manage the sanitization. Second is to do it yourself. Which way you do it should rely on your risk posture, Redekop said.
“Whatever data you have, absolutely none of it should ever leave the premises, or the possession of a trusted employee, or trusted company premises,” Redekop said. “That’s the bottom line.”
Risky business. Where the risk level is depends on a number of factors, but the primary concern is how much of a target your organization is to attackers. As Redekop explained, high-value targets tend to be those that have highly sensitive data or currency on their hardware; attackers getting their hands on hardware with that data could spell disaster.
“We’re talking about an attack surface that today is still growing,” Redekop said.