The rise of ransomware attacks targeting small and medium businesses has made data security a top priority for IT leaders. While there are many security products available to protect and detect threats, one simple but often overlooked mitigation tactic is proper tech recycling policies.
When disposed of improperly, old IT equipment can pose a security risk. Hard drives, for example, can contain sensitive data, such as customer information, financial information, and intellectual property. If these hard drives are not properly erased or destroyed, they can be used by attackers to access this data.
Destruction:
When the environmental movement of the 1970’s began it changed how Americans treat and discard reusable materials. Fast forward to 2022 and recycling has become so ingrained into our daily habits that most garbage pick-up services offer trash and recyclable pick-ups to commercial and residential addresses. There are blue trash cans everywhere! If recycling a soda can is so simple, why is it so hard to figure out what to do with your old IT equipment?
Used IT equipment should absolutely be properly recycled! IT equipment contains not only recyclable material, but also toxic materials that should not be thrown away with normal refuse. When recycled, trained professionals can separate the materials and dispose of them properly while ultimately ensuring that the refuse is discarded in a way that is environmentally responsible.
What about data security? Those old hard drives can contain personal and corporate data! Just like shredding paperwork that contains sensitive data, hard drives should be recycled in a manner that prevents access or restoration efforts. Hard drives should be shredded, and the materials disposed of by a recycling center that handles IT equipment.
Asset transfer:
It may not be economically feasible to have a policy that every employee gets a new machine and never has to use a 2nd hand computer. Assets can absolutely be transferred from one employee to another to get the maximum use out of a device. The biggest risk that should be mitigated is the confidentiality or sensitivity of the data on the machine…specifically the data on the hard drive. If the out-going employee never dealt with sensitive data, a wipe and re-install of the existing hard drive may be sufficient.
However, if the likelihood that the outgoing employee dealt with more sensitive data like an HR or finance employee, the hard drive should be pulled from the asset and properly recycled and replaced with a new hard drive. Pulling the hard drive and getting a new one for any computers you may be giving to an employee for personal use is the easiest way to ensure no corporate data is lingering on the machine. Decision makers should make a risk-based decision on which method is appropriate, even if that is done on a case-by-case basis.
The latest anti-virus product or SIEM/SOC solutions may be flashier mitigation tools for your network security program – and they do represent an important layer of the security onion. But don’t forget the basic risk that your used IT equipment poses to your business; it’s a risk that can be mitigated by a well thought out re-use policy or a formal tech recycling process.