Devices such as routers, printers, computers and tablets that have reached their end of life may seem to be working correctly but are a risk. If they are outside of the manufacturer's defined end of life, it means that the manufacturer will no longer be sending security updates to that device. This means it is leaving your organisation open to hackers to exploit and possibly gaining unauthorised access to your data.
An alternative view to this might be, consider if your building had doors or windows that were broken, where you were no longer able to physically secure your building. This means that your organisation would be at risk of a break in because the building was not lockable. If an office door was broken, it would likely be changed immediately. Leaving devices without updates and with critical vulnerabilities, is like leaving that broken door unfixed and you allowing intruders in, putting both your information and your staff at risk.
As part of your business continuity and cyber strategy we recommend auditing your devices and ensuring you have an asset register that contains all device and warranty information and including any significant dates of when the device goes out of support.
Having a rolling device program can mean that devices are continually updated and there are no surprises when devices need to be replaced.
The DfE Digital Standards for schools and colleges gives advice about how to plan for purchasing all kinds of devices including servers and network hardware.
Data Protection is something that should be taken into consideration when reviewing older devices and systems. When reviewing the safety and security of your devices your data protection officer should be involved, given personal data should be kept secure by design and default. The devices should be secure to protect against the risk of a data breach or cyber attack.
Carrying out a data impact assessment (DPIA) can help you assess the risk for both existing devices and any future purchases. For help and advice with supplier due diligence review our Supplier Due Diligence Best Practice Library.
Should you need to dispose of any devices as part of this review then remember that data protection requirements need to be met as part of the disposal.
Data protection legislation compliance is something you should be doing now. If you need any further help and advice understanding where you are with your devices then please contact us on
Existing customers should start with the Information/Cyber Security Best Practice Library and contact us for additional information about access to our DfE Digital Standards Checklists. These new checklists will show you what areas you need to focus on to help you meet the standards, including the data protection ones that you should be meeting now.
We've put together a video to help you share this help and advice with your organisation:
If you want to email the video link to someone in your organisation or share with another colleague, please use this link (they do not need to be a customer to view):
Keeping devices up to date