It’s often smarter to redeploy your organisation’s old IT equipment than to throw it away. Say someone hands in their notice a few months after getting their hands on a shiny new company laptop, for example, or an exec decides to exchange a functional smartphone or tablet for a higher-spec model. There’s no sense in retiring old devices when they’re still working and other employees might get some use out of them.
However, before you start digging around in the office storeroom and handing out the C-suite’s old laptops to apprentices, it’s important to be aware that redeploying old IT equipment is something that requires the utmost care and attention. Specifically, if you don’t address the security risks, there’s a fair chance your organisation’s most sensitive data – left intact during the transition from one user to another – might fall into the wrong hands.
There’s no shortage of figures to back this up. Verizon’s landmark 2014 Data Breach Investigations Report found that a rising number of intellectual property thefts are attributable to insiders rather than hackers, while 22 per cent of all insider and privilege-abuse attacks take advantage of physical access to storage media. Additionally, an October study from Central European University showed that 57 per cent of data breaches affecting EU residents’ privacy are the result of “organisational errors, insider abuse, or other internal mismanagement”.
So, how can you reuse business devices without increasing your organisation’s exposure to security risk? Start by considering the following.
Any data on the device should be securely destroyed
It should go without saying that before you allow one member of staff to use another employee’s old hardware, you should wipe any local storage that might still contain the latter’s data. You don’t want a new hire to have access to your chief financial officer’s unencrypted spreadsheets, nor do you want a homeworker holding on to a hard drive that for compliance reasons ought to be kept under lock and key.
And yet many organisations fall at this first hurdle. They carry out a quick reformat, or install a fresh drive image, or even just create a new user profile. But as we’ve discussed on this blog before, reformatting or deleting files isn’t enough to render the drive’s contents unreadable, even to freely available data recovery software.
The best way to prepare an old computer or mobile device for redeployment is to use secure data erasure software such as Blancco 5 or Blancco Mobile, which is capable of wiping storage media to the highest industry standards without affecting its functionality.
You may need to establish a security policy for the new user
Ideally, your organisation should have some form of security policy in place to cover the use of laptops, smartphones and other devices from day one. This isn’t always the case, though, particularly among small and growing businesses. Other times, it’s necessary to update the existing policy to accommodate changing circumstances – for example, when you’re redeploying old IT equipment down through the ranks.
Let’s say you plan to redeploy a set of laptops that were previously only used in the office, but will shortly be the property of a new, more mobile team. If it’s not mandated in the security policy that they use strong authentication and encryption, there’s an increased risk that the loss or theft of one of those devices might lead to a serious data breach.
More generally, any time you issue hardware to an employee, whether they’re a new hire or simply someone who hasn’t been entrusted with their own IT equipment before, you should endeavour to ensure they’re familiar with the security controls you use and the standard of behaviour you expect.
Is it necessary to delete files within the device lifecycle?
Finally, it’s important to remember that secure data erasure may, depending on the device’s use, be necessary more regularly than simply when a computer changes hands from one employee to another. Most rules and regulations are strict about how long an organisation can hold on to customer data, for example, so workers musn’t be allowed to keep that information on local storage after that point.
Once again, this calls for some form of secure data erasure software. Organisations have a number of different options as to precisely how they handle the problem, though. With Blancco Management Console, for example, files on remote machines can be deleted automatically from a central location, eliminating the need for employees to carry out the procedure manually.
With this kind of solution in place, you’re in a much better position to say that your organisation’s most sensitive data is secure – no matter who’s using your old business devices, or how they’re using them.