Manage Learn to apply best practices and optimize your operations.

Vulnerabilities exposed during disposal of used computers

Upgrading equipment? Proper disposal of used computers is necessary to reduce risk, because sensitive data is vulnerable when old electronics go out the door.

Don’t create a security breach.

That should be the mantra of anyone who has a hand in managing information risk, but so many people overlook the realities of disposing old computers and related equipment. I’d venture to guess more effort and money go into “green” marketing initiatives than proper system disposal. The focus is on business reputation as it pertains to good corporate citizenship, but sensitive information is being exposed when old electronics go out the door. There’s a bit of irony in it all.

Kevin Beaver
Kevin Beaver

Proper disposal of used computers is not just about wiping hard drives. There are personal records, intellectual property and sensitive system configuration information on routers, firewalls, telephone equipment, backup tapes, smartphones and so on. It’s everywhere. If you’re not taking the proper steps to identify sensitive information before it leaves the building, you’re opening your business -- and yourself -- up to big headaches, at best. These headaches can quickly turn into nightmares if sensitive information is ever brought out and used against you.

Take a look at your company handles the disposal of used computers . Can you truly say that sensitive information is completely cleared off your systems that are traded, sold or otherwise thrown out? Based on your experience managing information risk and the misfortunes of others, what should you be doing more of? Is there anything you should be doing less of, or not at all? These are the kinds of questions that can help improve your compliance and information security initiatives.

At a minimum, your disposal program should include the elements shown in Figure 1:

Essential elements for effective computer disposal

In essence, you need to know what you’ve got, ensure that everyone knows the requirements and processes, enforce the rules and never let up.

There are enough security threats and vulnerabilities to information risk management as it is. Breaches borne out of improper disposal of used computers are totally preventable. You should vow to get your arms around computer equipment disposal. Systems and sensitive information will no doubt slip through the cracks, but your goal isn’t to eliminate all risk. That’s an impossible task. Instead, develop a solid and repeatable process that shows your business is doing the right thing to minimize risks and reduce the impact when a breach does occur. It’s when businesses ignore basic due diligence and stand out from the crowd that they get into trouble.

Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. Beaver has authored/co-authored eight books on information security, including The Practical Guide to HIPAA Privacy and Security Complianceand the newly updated Hacking For Dummies, 3rd edition. In addition, he's the creator of the Security On Wheels information security audiobooks and blog.

Dig Deeper on Vulnerability assessment for compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

When disposing of computers, both toxic information and toxic metals have to be considered. Too many landfills have become horrendously dangerous because of electronics tossed aside willy-nilly by negligent companies. As laws have grown stricter and we've grown smarter, that may now be a lesser problem than our data. A wipe or two doesn't do much to keep old data secure. We use serious data destruction software AND physically remove and disable any disks we're tossing. Amazing what can be done with a good drill press....