No matter how an organization wants to retire a device when it reaches its end of life, IT must first ensure that any sensitive data on it has been properly destroyed.
Enterprise device recycling offers several advantages, but it also prompts new security concerns for IT administrators.
Disposing of devices in a sustainable manner, while also safeguarding sensitive data, is a dual challenge that many organizations face today. As a result, it's important to know the steps to securely recycle computers in an enterprise context.
Suppose a user needs a new computer. When they receive the new device, their organization might discard the old one as e-waste. If the old computer was not encrypted, someone can simply go dumpster diving and retrieve it to gain access to any local files and data stored on the device.
While fictional, scenarios like this do happen in real life. Organizations have suffered data breaches due to improper disposal of computers, leading to unauthorized data access and all the financial and legal ramifications that come with that. Even if an organization takes a more thoughtful approach and reuses or resells old devices, secure data disposal is not a guarantee. For example, in 2022, Morgan Stanley had to pay $60 million to settle a data security lawsuit after reselling unencrypted equipment that still contained customer data.
Organizations must adopt secure data disposal methods to follow data protection laws, such as GDPR and HIPAA. At the same time, many must adopt sustainable IT asset disposition methods to follow the e-waste laws that several governments have in place. To balance these needs and avoid environmental and security risks, IT should learn how to securely recycle enterprise computers.
How to secure data before device retirement
No matter how an organization might eventually retire a device, it's possible to mitigate some future security risks with user guidelines. For example, users should avoid storing files locally on their devices and instead opt for cloud storage services, such as Microsoft OneDrive or Google Drive. This also ensures data integrity in case of theft or hardware failure. But, regardless of the proper use of cloud-based tools, most Windows computers still store data locally, such as Outlook PST files, which can contain months of email, contacts and calendar information -- data that should not fall into the wrong hands.
Many organizations lack adequate procedures for the secure disposal of machines. Often, they resort to merely performing a factory reset in Windows or formatting the computer. However, formatting a disk doesn't delete the data on the disk; it only removes the pointers to the data. As long as IT isn't doing a low-level format or using software that overwrites the old data, there is a chance that the data is still easily accessible through recovery software.
Therefore, it is important to have the right procedures in place to guarantee that hard drives and other device components that might contain sensitive information are properly destroyed.
The following best practices can help IT ensure that data is not recoverable after device retirement:
Data wiping. Software-based methods can overwrite all data on the storage devices and ensure no trace of the original data remains. It's important to use tools that meet recognized standards, such as NIST Special Publication 800-88, for data erasure.
Degaussing. This process demagnetizes the hard drive, making it unreadable. Degaussing is effective but makes the drive unusable afterward. However, this issue does not affect solid-state drives (SSDs).
Physical destruction. In cases where data wiping or degaussing isn't feasible, the next option is physical destruction, such as shredding the hard drives. While effective, this method requires proper disposal of the shredded materials. This approach uses industrial-grade shredders specifically made for the destruction of electronic media.
For federal data, compliance with National Security Agency data destruction requirements might be necessary. This involves a two-step process of degaussing and destroying magnetic media. For SSDs, the only approved methods are disintegrators and incinerators.
When physically destroying a computer and hard drive, always obtain a certificate of data destruction from a certified service provider. This serves as proof that the hard drives were destroyed in compliance with legal and regulatory standards.
In addition to completing data destruction, however, IT should confirm that the device is at its end of life (EOL) and make sure that its parts don't become e-waste. Typically, the life span of a computer ranges from five to eight years, with some variation between desktops and laptops. Many users and organizations discard devices before their EOL, though. This practice is not beneficial, neither economically nor environmentally.
Depending on the condition of the device, organizations have a few options to avoid creating e-waste.
How to sustainably retire devices
After properly erasing all the sensitive data, admins can decide on the most practical way to get rid of the hardware. Parts that are no longer functional are still recyclable, so IT should take account of all these components to avoid violating e-waste laws, mishandling hazardous materials and contributing to toxic landfills. Organizations can utilize third-party recycling services to manage this part of the process.
Before considering recycling, organizations should also assess whether they can reuse or repurpose their computers. Even if a device can't serve its original purpose anymore, it can be useful in a new context. Reusing and repurposing computers can be an environmentally friendly and cost-effective approach, offering several benefits.
Before a computer is either repurposed or recycled, ensure that all valuable data is backed up securely, preferably in a cloud-based service.
Extend computer life spans
IT teams should evaluate whether they can repurpose older computers within the organization for less demanding tasks. For example, it's possible to convert some devices into thin clients. Software such as ChromeOS Flex for PC and IGEL's Universal Desktop Converter can help transform an older machine into a modern thin client, which can then offer remote access to a VDI environment.
Another option would be to extend the lifecycle of the device by upgrading components such as RAM or hard drives. Laptop batteries lose capacity especially quickly, so IT should replace those as well. These measures can extend a computer's life span by two to three years, after which it can be recycled.
Donate old computers
Another approach is to donate older computers that are still functional to schools, nonprofit organizations or community centers. This not only supports the community, but also enhances the organization's corporate social responsibility profile.
Offer employee purchase programs
Organizations can also give employees the option to purchase old computers at a discounted rate. This can be a perk for employees and a simple way to ensure the device doesn't go to waste.
Regardless of how an organization decides to retire its hardware, it's crucial to perform secure data erasure on the devices. Before a computer is either repurposed or recycled, ensure that all valuable data is backed up securely, preferably in a cloud-based service. Provide guidelines to employees for backing up their data safely and ensuring that they do not store any data locally on the device.
When recycling is the only option, partner up with electronics recycling firms that adhere to sustainable practices. Make sure that they responsibly handle materials such as plastics, metals and toxic substances found in computers.
Properly recycling enterprise computers is a comprehensive process that involves employing secure data deletion, analyzing the potential for reuse and working with responsible recycling programs. By adopting these practices, organizations can protect sensitive data, contribute to environmental sustainability and even support their communities through donations or employee purchase programs.
Marius Sandbu is cloud evangelist for Sopra Steria in Norway who mainly focuses on end-user computing and cloud-native technology.
