Don’t Ignore Old Tech: Guidance from the NCSC

The National Cyber Security Centre (NCSC) has recently published updated guidance on the secure decommissioning of old digital systems and devices, emphasising that proper disposal is as crucial as secure setup for maintaining organisational security. This guidance is primarily targeted at IT teams but contains actionable advice for any business using computers, software, or online services.

Why proper decommissioning matters

Abandoned or neglected old technology can pose significant security risks. Devices such as old laptops or servers may still hold sensitive information, or, if left connected or improperly wiped, can provide unauthorized access points into your systems. The NCSC highlights that failing to securely retire these assets can result in data breaches, unauthorized access, and disruption to business operations.

Key steps for decommissioning

• Plan Ahead: Do not delay decommissioning until the last minute. When acquiring new systems or updating software, consider how and when the old systems will be retired.
• Inventory Management: Maintain a list of all computers, software, and devices in use. This helps track what is active and what can be safely decommissioned.
• Back Up Data: Before disposing of any device or service, ensure all important data is backed up. This includes documents, emails, and credentials that may be needed for recovery.
• Secure Data Wiping: When selling, donating, or discarding old devices, thoroughly erase all data. A factory reset is often insufficient; use secure wipe procedures or seek professional assistance.
• Verify Data Removal: If using a third party for disposal, request proof that data has been securely wiped. If handling it yourself, document the steps taken for future reference. 

Additional considerations

• Coordination and Communication: Decommissioning should be coordinated with all relevant stakeholders, and clear communication is essential so everyone understands the process and its impact.
• Secure Storage: Devices awaiting decommissioning should be stored securely, especially if they contain sensitive data.
• Asset Tracking: After decommissioning, update asset inventories to reflect changes and continue monitoring for any unforeseen impacts.
• Backup and Recovery: Maintain robust backup, archiving, and recovery plans to mitigate risks if decommissioning does not go as planned.

Final thoughts…

The NCSC’s guidance is a practical reminder that old technology is not just clutter—it can be a security liability if not managed properly.

Even for those without technical expertise, simple steps like maintaining an inventory and planning for secure disposal can significantly reduce cyber risks. If you’re unsure where to start, making a list of current technology and identifying what is no longer needed is an effective first step.

You can find more detail on the NCSC website.