Many companies want to save money by reusing old equipment instead of buying new – but they often don't properly remove the existing data on reused machines. This is according to local IT Asset Disposal (ITAD) specialist Xperien.
Many companies want to save money by reusing old equipment instead of buying new – but they often don't properly remove the existing data on reused machines. This is according to local IT Asset Disposal (ITAD) specialist Xperien.
Xperien CEO Wale Arewa warns that before companies start handing out old laptops, its important to be aware that redeploying old IT equipment is something that requires the utmost care and attention.
"If you don't address the security risks, theres a fair chance your organisations most sensitive data might fall into the wrong hands," he says.
A recent Verizon Data Breach Investigations Report found that a rising number of intellectual property thefts are attributable to insiders rather than hackers, while 22 per cent of all insider and privilege-abuse attacks take advantage of physical access to storage media.
Company executives responsible for IT asset management need to understand the principles of IT Asset Disposal (ITAD) and they need to consider regulatory compliance and the protection of company information. IT disposal has legislative requirements, compliance to Protection of Personal Information Act 2013 (PoPI 2013), the National Environmental Waste Management Act 2008 (NEMWA 2008) and the Consumer Protection Act 68 of 2008 (CPA).
How can one reuse business devices without increasing the organisations exposure to security risk? All data should be securely destroyed according to legislative requirements.
"Before you allow any staff member to use old hardware, you should destroy all data. You dont want a new employee to have access to the chief financial officers unencrypted spreadsheets," he explains.
"Many organisations fall at this first hurdle, they think a quick reformat of the hard drive or installing a fresh drive image is sufficient. Reformatting or deleting files isnt enough to render the drives contents unreadable, even to freely available data recovery software," he adds.
He says the best way to prepare an old computer or mobile device for redeployment is to use secure data erasure software such as Blancco 5 or Blancco Mobile. "It is capable of wiping storage media to the highest industry standards without affecting its functionality."
One may also need to establish a security policy for the new user. Ideally, an organisation should have some form of security policy in place to cover the use of laptops, smartphones and other devices. This isn't always the case, though, particularly among small and growing businesses.
It is also crucial to update existing policies to accommodate changing circumstances like redeploying old IT equipment.
"If you plan to redeploy a set of laptops that were previously only used in the office, but will shortly be the used by a more mobile team, one needs to ensure strong authentication and encryption. If its not mandated in the security policy that they use strong authentication and encryption, theres an increased risk that the loss or theft of one of those devices might lead to a serious data breach," says Arewa.
Whenever an organisation issues hardware to an employee, whether a new staff member or someone who hasn't been entrusted with their own IT equipment before, it is critical to ensure they are familiar with the security controls and the expected standard of behaviour.
Depending on the devices in use, secure data erasure may be necessary more regularly than simply when a computer changes hands from one employee to another. Most rules and regulations are strict about how long an organisation can hold onto customer data for example. Workers mustn't be allowed to keep that information on local storage after that point.
Once again, this calls for some form of secure data erasure software. Organisations have a number of different options as to precisely how they handle the problem. With Blancco Management Console, for example, files on remote machines can be deleted automatically from a central location, eliminating the need for employees to carry out the procedure manually.
"With this kind of solution in place, youre in a much better position to say that your organisations most sensitive data is secure no matter whos using your old business devices, or how theyre using them," he says.
For more information on asset disposal or data destruction, visit www.xperien.com