Security budgets defend live systems. Meanwhile, retired laptops and servers leave the building with the same data and none of the defences.
Device end-of-life is a quietly recurring breach vector: drives resold with recoverable data, decommissioned servers idle in unsecured storage, media handed to disposal vendors nobody vetted.
The technical fix is settled: standards-based sanitisation for reusable media, physical shredding for everything else, chosen by media type and data classification.
The harder part is custody. A perfectly shredded drive means nothing if the chain from desk to shredder is undocumented — sealed containers, tracked transport, serial-level reconciliation and recorded destruction are what turn a process into evidence.
Certificates close the loop for legal and audit teams: unit-level documentation matching every serial collected to a destruction event, filed alongside your asset register.
Fold destruction into IT asset disposition and the economics improve too — working assets are recovered for value while data-bearing components are provably eliminated.
A retired drive with no custody record is a breach waiting for a finder.