The UK official NCSC (National Cyber Security Centre) has brought out guidance aimed at technical staff and ‘risk owners’ about why it’s important for organisations to decommission digital assets, and how to do so securely.
The NCSC says that decommissioning involves retiring digital assets – such as data, software, or hardware – from operation. It is a critical phase in the lifecycle of any asset. Decommissioning can be highly expensive and complex, with potentially severe repercussions if not done properly. Those risks can include:
unauthorised individuals accessing sensitive data
lost data, services or functions
disruption to the organisation
inability to roll back to a known safe state; and
exploitation of services or devices.
If decommissioning does not go as planned, or if only part of an asset needs decommissioning, then having backup, archiving, and recovery plans is critical, the NCSC advises.
Comment
Jon Abbott, CEO, ThreatAware said: “The NCSC’s guidance represents solid best practice for securely decommissioning end-of-life IT assets. Organisations failing to take these steps leave themselves exposed to unnecessary cyber risk. Old, dormant assets often become forgotten blind spots in security coverage. It only takes one unknown, unmanaged device in an organisation’s IT estate for a threat actor to breach the network.
“We find on average 41 per cent of devices are ‘End of Life’ – and attackers actively hunt for these devices. Decommissioning orphaned devices is a security-critical process that needs clear auditing and proper disposal techniques to prevent data leakage. Organisations should integrate asset decommissioning as part of their broader IT asset management process, using automation and continuous discovery to make sure nothing slips through the cracks.”
You can view the guidance at https://www.ncsc.gov.uk/guidance/decommissioning-assets.
