Old server hardware is a fact of life – the perpetual drive for increased processing power, more storage and improved software functionality means that the average lifespan for a new server is around three years. And with support for Server 2003 ending in less than a month, there is expected to be a large increase in the number of redundant servers that need to be disposed of.
So what are the factors you need to consider when disposing of server hardware?
By their very design, servers are intended to store data. More importantly still, they are supposed to simplify sharing of information within your corporate network.
So when disposing of servers, it is important to carefully consider the data that may still be stored on the drives. Cybercriminals or even your competitors could easily recover sensitive data from your dumped server, before using that information to steal your intellectual property (IP), leverage your product development and research for their own use, or headhunt your customers using your own data against you in future bids for work.
To prevent such problems you must either remove the hard drives and physically destroy them, or use a secure file deletion tool to ensure all information is unrecoverable. A simple format of the drives is insufficient – tools like Ontrack EasyRecovery are more than capable of recovering data deleted in this way.
Where your business handles personal data, there is a legal duty under the Data Protection Act 1998 (DPA) to prevent loss or theft of that information. Your business must be able to demonstrate that you have properly disposed of personal data and put it beyond recovery by unauthorised third parties.
To meet such requirements, your business will either need to employ a secure file deletion tool, or physically destroy the hard drives belonging to the server being disposed of. If you are hoping to resell or donate it to charity, secure file deletion will leave you with a usable machine – otherwise it will require replacement drives, significantly reducing its value to a buyer.
Newspapers and other media outlets frequently run stories about second-hand servers bought online and the sensitive data they recover from the included drives, suggesting that businesses are still not taking this danger seriously. Aside from the potential reputational and financial damage these kinds of leaks cause, those found to have breached the DPA can be fined up to £500,000, and company directors could even be sentenced to a jail term in some circumstances.
The days of sending computer hardware to a landfill are long gone with environmental legislation outlawing general dumping of electronic waste. More specifically the EU’s Waste Electrical and Electronic Equipment (WEEE) directive classifies servers as hazardous waste because they contain PCB boards, a source of polychlorinated biphenyl, which can cause skin lesions, immune system problems and even acute systemic poisoning.
These firms strip server components and ensure that everything recyclable is reclaimed. They then arrange for the remaining components to be disposed of safely, issuing you with a WEEE recycling certificate to prove that everything has been recycled according to EU guidelines. You should also ensure that all drives are securely wiped using a tool like Blancco 5 to put unwanted data beyond recovery before and hardware is sent to a recycler.
The most environmentally friendly disposal option however would be to repurpose your old server, putting it to work in a role that is not reliant on processing power or RAM. Old machines are often used as backup DNS servers for instance, helping to keep mission-critical systems on line in case of an emergency whilst primary servers are repaired.
Finally your business could consider donating old servers to charitable organisations who can make use of older computer hardware. Obviously the same rules about data protection still apply, but your business can avoid much of the administrative burden associated with WEEE disposal. You may even be able to use such donations to reduce your annual Corporation Tax liabilities and to meet Corporate Social Responsibility (CSR) targets.
However your business chooses to dispose of old servers, the key consideration must be to ensure that all data is securely deleted before the asset leaves your premises. Failure to do so could be extremely costly in terms of reputation damage, regulator fines and lost business; get it wrong and retiring old servers could be one of your most costly undertakings ever.