Asset disposal: the overlooked attack surface

 

The Factory Reset Fallacy

Walk into most organisations and ask how they sanitise devices before disposal, and you’ll hear variations of the same answer: "We factory reset them" or "IT deletes all the files first". This confidence is misplaced.

 

Factory resets on modern devices are designed for consumer convenience, not security. They mark data as deleted and reinitialise the operating system, but the underlying data remains on the storage media. Recovery tools can retrieve supposedly wiped files in minutes. Even the "secure erase" options built into operating systems often rely on the storage controller’s firmware implementing the command correctly, an assumption that doesn’t always hold true for older hardware or certain SSD models.

 

The uncomfortable truth is that data sanitisation requires either cryptographic erasure (if the device was encrypted from day one with properly managed keys) or physical destruction of the storage media. Everything else is security theatre.

 

The Audit Gap Nobody Talks About

Information security audits typically focus on live systems: access controls, patch management, backup procedures. Disposal processes receive a cursory tick-box check. "Do you have a policy for secure disposal?" Yes. "Is it documented?" Yes. Tick, move on.

 

What auditors rarely verify is whether the policy is actually followed in practice. When a laptop breaks, does it go through the documented secure disposal process, or does it sit in a cupboard for six months before someone from facilities quietly disposes of it? When a department upgrades 50 phones, does security verify the sanitisation method, or does procurement arrange collection without informing anyone?

 

The gap between policy and practice is where breaches happen. In regulated sectors, this gap also represents a compliance risk that many organisations haven’t properly assessed.

 

Hardware-Level Risks Beyond the Obvious

Most security discussions about disposal focus on hard drives and laptops. That’s only part of the picture.

 

Modern multifunction printers store copies of scanned and printed documents on internal hard drives. VoIP phones may cache contact lists and call logs. Network switches and routers contain configuration files that reveal network topology. Even seemingly innocuous devices like smart displays or conference room systems may store credentials or session data.

 

Solid-state drives present a particular challenge. Unlike traditional hard drives where data can be reliably overwritten, SSDs use wear-levelling algorithms that scatter data across the physical media. A file you think you’ve overwritten three times may still exist in blocks the controller marked as unused. For SSDs, cryptographic erasure or physical destruction are the only reliable sanitisation methods.

 

Then there’s the embedded storage problem. USB drives left in laptops. SD cards in cameras. SIM cards in mobile hotspots. These small form-factor storage devices are easy to overlook during disposal and easy to remove by anyone who handles the equipment between your office and the eventual destruction facility.

 

A Due Diligence Framework

Security teams should treat IT asset disposal with the same rigour as any other critical process. That means verification, not trust.

 

Before any device leaves the organisation, someone should verify: 

• What data classification was stored on this device? Consumer-grade disposal methods might suffice for devices that only ever accessed public information. Anything that processed customer data, financial information, or confidential business documents requires verified sanitisation or destruction.
• What sanitisation method was used, and do we have proof? "We wiped it" isn’t sufficient. Was the device encrypted from deployment? Were encryption keys destroyed? Was destruction witnessed? Is there a certificate of destruction from a third party?
• Who will handle this equipment between here and final disposal? If you’re handing devices to a collection service, what security vetting have they undergone? What happens if equipment goes missing in transit? Who’s liable?
• What happens if sanitisation fails? Older equipment may have failing storage controllers that won’t execute secure erase commands. Broken devices can’t be booted to run wiping software. There needs to be a fallback process, typically physical destruction. 

 

The Regulatory Ratchet

Under GDPR, organisations remain data controllers even when equipment is being disposed of. That means you’re accountable for any personal data breach that occurs because a disposal vendor failed to properly sanitise equipment. "We hired a specialist company" isn’t a defence if you didn’t verify their processes.

 

The incoming NIS2 directive increases the accountability bar further for operators of essential services. Security teams will need to demonstrate not just that they have policies, but that they can evidence compliance throughout the asset lifecycle, including disposal.

 

For organisations in regulated sectors, the question isn’t whether disposal processes will come under scrutiny, it’s when. The time to close this gap is before an auditor, regulator, or worse, a breach investigation, exposes it.

 

Closing the Loop

IT asset disposal doesn’t need to be complicated, but it does need to be deliberate. Security teams should know what’s being disposed of, verify how it’s being sanitised, and maintain evidence that the process was followed. Anything less leaves an attack surface that no amount of perimeter security can mitigate.

 

The devices leaving your building today may no longer be your problem from an IT support perspective, but from a security and compliance perspective, they remain your responsibility until they’re provably destroyed. It’s time to treat disposal with the seriousness it deserves.

 

---

 

Joe Adamou is a Data Media Security Manager at Innovent Recycling, specialists in secure IT asset lifecycle management and regulatory compliance for data disposal processes

 

Main image courtesy of iStockPhoto.com and Dony