Table of Contents
Minimising refurbished device vulnerabilities will provide better cyber security for businesses
By Stephen Leach, Detective Inspector and Head of Business Development at NEBRC
Any device used within a business is a potential target for cyber criminals. Each device holds a wide range of personal and business data, which can leave businesses vulnerable, should an attacker gains access.
Devices such as smartphones, tablets, laptops and desktop PCs are essential to be able to run a business however, careful planning is required by business leaders to ensure the introduction of any new technology is done so in a way that protects the business and it’s stakeholders.
Refurbished technology refers to electronics devices which have been returned to a manufacturer or retailer (either unused or used) and resold having been checked and verified as working to a high standard. This could include display items used in retail, unused returns, items which have small defects such as a scratched screen. It might also be a used product that has been traded in with a specific retailer. The products will usually be cleaned, repaired and factory settings reset, before being packaged and sold on.
There are both financial and environmental benefits which come from using refurbished devices over buying brand new. Plus, the cost savings can mean businesses will be able to afford a higher spec of device too, enhancing business performance.
There are always risks involved when integrating any new technology into your business and so precautions such as the below 10 considerations should be taken into account. Non-profit organisations such as the NCSC and NEBRC provide guidance to support with vulnerability assessments for businesses, which can be completed internally or remotely to help spot weaknesses that cyber criminals could leverage.
9 considerations for implementing new or refurbished tech in your business, and how to reduce risk
The below checklist is a useful starting point, providing guidance on how to mitigate risks when introducing and managing new technology within your business.
-
Always buy from a reputable seller
I’d always recommend doing your research before buying refurbished devices. You need to look at the exact check and updates which have been made to the devices. For example, products are often listed as “like new” however, there is no standardisation across retailers. To avoid running into performance issues later down the line, check the warranty length of sellers also.
-
What are your security requirements?
Whilst a device might appear to be a bargain, you will need to do additional research to check the manufacturer meets your business’ security requirements. Ensure that the device will be supported by the manufacturer for the time period you expect to use it. Unsupported devices won’t receive security updates from the manufacturer, making them easier to hack. Manufacturer updates ensure devices security and bug fixes.
-
Factory resets are important
It is crucial that second-hand devices have had a factory reset, ensuring that it is in the most risk-free state before it is introduced into your business. Refer to the manufacturer’s website, as different models will each have differing steps required to do the reset.
-
Match your business needs to the device features
Do you really need the latest gadget available? Weigh up your business needs against the technology, finding a balance between hardware and software features vs. cost. Creating a list on non-negotiable feature will help ensure the device is fit for purpose.
-
Test and log devices
Before purchasing and deploying a particular device across the company, try testing a small number as a pilot scheme, to ensure it is a good fit for your needs. You should also add any to a list or device log, commonly known as an “asset register”, so that they can be monitored appropriately and updated when required.
-
Password are the first line of defence
We often talk about passwords as being the first line of defence for businesses in relation to cyber security. Any new devices should have password protection switched on immediately, setting up screenlock using a password, fingerprint, face ID or PIN. Passwords should follow best practice such as using the three random words and password managers.
-
Create a plan for tracking and wiping devices
Should a device fall into the wrong hands, it is important for a business to track or wipe a device. To avoid any disruption to business continuity, you should also regularly back up devices. This is key for business productivity, reputation and to meet security regulations such as GDPR.
-
Stay up to date
Software updates allow new features, bug fixes and patching to take place on your device which are vital for cyber security. Especially with any antivirus apps. Some devices allow automatic updates, a useful feature which we would highly recommend utilising.
-
Staff training and policy enforcement
The creation of policies and best practice regarding device introduction and ongoing management is also a good idea. New starts will need training and this should be reviewed through the duration of their employment. Policies might include BYOD, remote working and use of devices for personal use.
These nine best practice tips are just a starting point to help reduce cyber risk when implementing refurbished devices to your business. Regularly running vulnerability assessments can help identify any weak spots. Your local cyber resilience centre can provide vulnerability assessment services, sharing advice and expertise on safe device set up and identify risk.