Redeploying old IT equipment in today’s tough economic conditions could easily result in higher profits. There is no sense in retiring old devices when they are still working and other employees might get some use out of them.
However, Xperien CEO Wale Arewa warns that before companies start handing out old laptops, it’s important to be aware that redeploying old IT equipment is something that requires the utmost care and attention.
“If you don’t address the security risks, there’s a fair chance your organisation’s most sensitive data might fall into the wrong hands,” he stresses.
A recent Verizon Data Breach Investigations Report found that a rising number of intellectual property thefts are attributable to insiders rather than hackers, while 22% of all insider and privilege-abuse attacks take advantage of physical access to storage media.
Company executives responsible for IT asset management need to understand the principles of IT Asset Disposal (ITAD) and they need to consider regulatory compliance and the protection of company information. IT disposal has legislative requirements, compliance to Protection of Personal Information Act 2013 (PoPI 2013), the National Environmental Waste Management Act 2008 (NEMWA 2008) and the Consumer Protection Act 68 of 2008 (CPA).
How can one reuse business devices without increasing the organisation’s exposure to security risk? All data should be securely destroyed according to legislative requirements, Arewa says.
“Before you allow any staff member to use old hardware, you should destroy all data. You don’t want a new employee to have access to the chief financial officer’s unencrypted spreadsheets,” he explains.
“Many organisations fall at this first hurdle, they think a quick reformat of the hard drive or installing a fresh drive image is sufficient. Reformatting or deleting files isn’t enough to render the drive’s contents unreadable, even to freely available data recovery software.”
He says the best way to prepare an old computer or mobile device for redeployment is to use secure data erasure software such as Blancco 5 or Blancco Mobile. “It is capable of wiping storage media to the highest industry standards without affecting its functionality.”
One may also need to establish a security policy for the new user. Ideally, an organisation should have some form of security policy in place to cover the use of laptops, smartphones and other devices. This isn’t always the case, though, particularly among small and growing businesses.
It is also crucial to update existing policies to accommodate changing circumstances like redeploying old IT equipment.
“If you plan to redeploy a set of laptops that were previously only used in the office, but will shortly be the used by a more mobile team, one needs to ensure strong authentication and encryption. If it’s not mandated in the security policy that they use strong authentication and encryption, there’s an increased risk that the loss or theft of one of those devices might lead to a serious data breach,” says Arewa.
Whenever an organisation issues hardware to an employee, whether a new staff or someone who hasn’t been entrusted with their own IT equipment before, it is critical to ensure they are familiar with the security controls and the expected standard of behaviour.
Depending on the device’s use, secure data erasure may be necessary more regularly than simply when a computer changes hands from one employee to another. Most rules and regulations are strict about how long an organisation can hold onto customer data for example. Workers mustn’t be allowed to keep that information on local storage after that point.
Once again, this calls for some form of secure data erasure software. Organisations have a number of different options as to precisely how they handle the problem.