Take a second and look around your open office space. What do you see? Maybe a dozen workstations, laptops, phones, a printer, a copier, and who knows what else—the modern office is flooded with devices. All those devices are generally “smart,” whether that means connecting to the internet or predicting your next action before you even have time to think about it. But what happens when a device needs to be repaired, scrapped, donated, or sold?
Device management is crucial. Why? Data on hard drives remains alive and vulnerable unless you take action. The hard drive on discarded equipment can become a digital time bomb for your company and a gold mine for identity thieves, as CBS News demonstrated in their report titled, “Digital Photocopiers Loaded With Secrets.” Investigators walked inside a warehouse in New Jersey containing 6,000 used copy machines ready to be sold around the world. They purchased four, pulled out the hard drives, and scanned them. The results were eye-popping: files on domestic violence complaints, wanted sex offenders, major drug raid targets, pay stubs and checks, and 300 pages of an individual’s health records. Scared yet?
Protect your data—by destroying it
Getting rid of data for good can be tough, but the US Department of Commerce’s National Institute of Standards and Technology took a shot at some guidelines in its 2015 “Risk Management for Replication Devices (RDs).” It highlights device management best practices for protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs. Here’s the important stuff:
- Unencrypted information: Any information stored unencrypted on an RD could be exposed or modified by anyone with access (including maintenance personnel) or in the event of a successful network-based attack.
- Sanitisation: Information could be retrieved by unauthorised personnel when the RD is discarded, warehoused, or repurposed.
- Access: External maintenance personnel given physical or remote access could download or copy stored information.
- Unauthorised Storage: RDs may store unauthorised data in memory. Such data has likely been illegally obtained (e.g. copyrighted data, intellectual property).
Remember that warehouse in New Jersey? Two shipping containers were headed overseas to Argentina and Singapore full of used copiers, along with all the secret data investigators found on them. End-of-life processing is essential device management if your IT team ever wants to sleep soundly again.
Hunt for ghost images
Revved-up data recovery techniques can definitely escalate the problem of rogue hard drives. Computer forensic scientists are looking for ways to retrieve “ghost” images and minuscule fragments of disk platters, especially in cases of terrorism, for crime fighters to use as evidence. You have to wonder if the baddies are doing the same thing for darker purposes.
Back to that busted hard drive. In 2016, the International Organisation of Scientific Research Journals published “Computer Forensic Investigation on Hard Drive Data Recover: A Review Study,” packed full of methods and tools to recover data from hard disk drives, how data recovery tools work, in what situations you can lose your data permanently, and under what conditions you can recover your data. It’s good to know you can pull back lost data when you want to do so, but it’s not so good when prying eyes are looking for “such stuff as dreams are made of”—your financial data, for example. Think Equifax!
Craft your ultimate hard drive security checklist
To protect your company against legal and financial exposure, work with credentialed security advisers to figure out the best end-of-life plan for your outdated equipment. At base level, any device management checklist should include:
- Complete destruction and recycling at a state-of-the-art recycling facility
- Data destruction (degaussing or shredding)
- Asset tracking, auditing, and certificates of destruction
- Transportation and logistics coordination
Even your home equipment can put your personal data at risk. When you finish with a laptop, copier, or printer, wipe the hard drive, physically remove it, or drill it. IT teams can even go a step further in crafting their ultimate device management solution by working with a Device as a Service offering—one that handles everything from configuration to decommissioning, so your endpoints don’t end up full of data on a boat to Singapore.
Give your device CPR—it isn’t dead yet
If that hard drive crashed because of a parts failure, security can be even trickier due to third-party repair teams coming onto your property. Prep for emergency and routine maintenance by making a habit of encrypting sensitive data and creating passwords for applications that contain sensitive data.
Even better, install equipment with smart device security technology that alerts you to problems before the parts fail, reducing security risks. Look for solutions, like cloud tools and device-based sensing capabilities, which monitor and diagnose service needs to maximise uptime and cut costs. For reboot, you’ll want a solution that detects and prevents the execution of malicious code and self-heals the BIOS.
All those devices you see around your office? They’re crucial to your organisation’s productivity and growth. You just need to be smart about device management when you say RIP to any hard drive and invest in tools that work with your team to keep security top of mind for the entire lifecycle.