With the rise of ransomware events targeting small and medium size businesses, data security has been brought to the forefront of many strategic conversations around the IT “dinner table.” Although there are many palatable security products available on the market to protect and even detect security risks on your network, one mitigation tactic is so simple it is commonly overlooked. What do you do with your used or old IT equipment? Is it safe to transfer the asset from one employee to another? Is it safe to give the asset to an employee for personal use? These are several questions that are commonly asked.
When the environmental movement of the 1970’s began it transformed how Americans treat and discard reusable materials. Fast forward to 2022 and recycling has become so ingrained into our daily habits that most garbage pick-up services offer trash and recyclable pick-ups to commercial and residential addresses. There are blue trash cans everywhere! If recycling a soda can is so simple, why is it so hard to figure out what to do with your old IT equipment?
Used IT equipment should absolutely be properly recycled! IT equipment contains not only recyclable material, but also toxic materials that should not be thrown away with normal refuse. When recycled, trained professionals can separate the materials and dispose of them properly while ultimately ensuring that the refuse is discarded in a way that is environmentally responsible.
What about data security? Those old hard drives can contain personal and corporate data! Just like shredding paperwork that contains sensitive data, hard drives should be recycled in a manner that prevents access or restoration efforts. Hard drives should be shredded, and the materials disposed of by a recycling center that handles IT equipment.
It may not be economically feasible to have a policy that every employee gets a new machine and never has to use a hand-me-down. Assets can absolutely be transferred from one employee to another to get the maximum use out of a device. The biggest risk that should be mitigated is the confidentiality or sensitivity of the data on the machine…specifically the data on the hard drive. If the out-going employee never dealt with sensitive data, a wipe and re-install of the existing hard drive may be sufficient. However, if the likelihood that the outgoing employee dealt with more sensitive data like an HR or finance employee, the hard drive should be pulled from the asset and properly recycled and replaced with a new hard drive. Pulling the hard drive and getting a new one for any computers you may be giving to an employee for personal use is the easiest way to ensure no corporate data is lingering on the machine. Decision makers should make a risk-based decision on which method is appropriate…even if that is done on a case-by-case basis.
The latest anti-virus product or SIEM/SOC solutions may be flashier mitigation tools for your network security program – and they do represent an important emerging layer of the security onion. But don’t forget the basic risk that your used IT equipment poses to your business; it’s a risk that can be mitigated by a well thought out re-use policy or a formal recycling process.