Pursuing sustainability is a noble goal and more and more environmentally conscious businesses are rising to the challenge. A common example is upgrading and then reselling old technology like routers, firewalls, and switches to others who extract more life out of them. If you go down this path, it’s important to be wise about how you wisely retire your old equipment.
Security risks that exist with old equipment
We would never throw our personal cell phones into a recycle bin before we erased all our data or reset them to factory specs. Why would we do anything less with work-related technology? Technology like routers, firewalls, and switches are security tools that control access to your network and infrastructure. If they are improperly retired, they can serve up valuable security information to cybercriminals.
1. Your data is always at risk. All types of data, like passwords, logins, credentials, and personally identifiable information, are stored on office devices. Some data like usernames are in plain text and easily accessible. While passwords and configuration files are often protected because they are stored as scrambled cryptographic hashes, even hashed data can be potentially at risk.
2. Resold technology is a hacker’s paradise. At a security conference in San Francisco, researchers recently presented findings that more than half of the secondhand enterprise routers they bought for testing had been left completely intact by their previous owners. All the sample devices were brimming with network information, credentials, and confidential data about the institutions they belonged to.
3. The Dark Web is a marketplace for sensitive data. Corporate application logins, network credentials, and encryption keys have a high value on Dark Web markets and criminal forums. Cybercriminals collect this information about individuals for the sole purpose of selling it to other criminals to use in identity theft and other scams.
4. Old equipment is a liability. Routers, for example, may reveal that a particular organization is running outdated applications or operating systems that contain exploitable vulnerabilities, essentially giving hackers a road map of possible attack strategies. We recommend updating your technology every 3-5 years and making sure it is protected with the latest versions of enterprise-oriented security products.
5. Cyber insurance coverage. Your cyber insurance company won’t be happy if you file a claim and they learn that you sold your old router online without the proper wiping and security procedures. Your coverage could be denied.
6. The dark side of compliance. Selling a preowned router could violate industry regulations or compliance standards, such as HIPAA or PCI-DSS, and potentially result in fines or legal action.
Establish procedures for retiring old equipment
Waident has built its reputation on managing IT procedures and documentation. If there is an IT-related process in our clients, it’s documented, communicated, and followed. If you don’t have a technology retirement process documented and followed, it is time to ask yourself these questions:
- What are the criteria for retiring a piece of equipment?
- Who on my team is responsible for ensuring that all technology is properly retired whether I choose to trash, recycle, or resell it?
- What are the steps to retire my equipment (server, switch, firewall, router, printers, laptops, phones, etc.)?
- Are we collecting all the configurations and login information before wiping each technology? Has it been documented?
- How do I know that the process was followed and the technology is safe to be disposed of?
Your answers will help you assess your risk and clarify your starting point for a more rigorous process to secure old equipment.
How do I erase all data on my device before retiring it?
The best way to ensure your data is wiped properly is to hire a certified third party to destroy the data and perform the necessary procedures before recycling.
Trust me, do not skip this step. This is an investment to keep your company safe.
Sustainability is an important goal. However, if they are not diligent, well-intentioned business owners can expose themselves to big risks while they are trying to do the right thing. In addition to doing good for the environment, make sure that you do the right thing for your company and its security. Properly wipe and secure your retired technology before it leaves your business.
Want to learn more ways to secure your company? Download our free cybersecurity checklist and see where you can improve.