The NCSC has published new guidance on decommissioning assets. The one line worth pinning to a wall is theirs: "Assets that are no longer required become liabilities because they can open up vulnerabilities or expose information."
It is the least exciting topic in security, and probably the highest-value job most small businesses never finish.
Why this matters more than it sounds
Every breach story we have covered recently is, underneath, a story about something that should have been switched off years ago.
- A 27-year-old domain transferred away from a non-profit because nobody had reviewed who held the registrar account (GoDaddy).
- A surprise drop in Telnet scanning that revealed how much Telnet is still listening on the internet, decades after it should have been (Telnet).
- The NCSC's warning that AI is about to find bugs faster than humans can, including in systems nobody can remember setting up (patch wave).
The pattern repeats. The vulnerable thing is rarely the system someone is actively running. It is the system everyone forgot they had.
What the NCSC guidance actually says
The structure is straightforward. Plan for decommissioning when you buy the thing. Find everything you've got, including the bits nobody owns. Back up and prove you can restore. Take it down in a controlled order, sanitising data as you go. Verify, document, and update the inventory afterwards.
Two parts are worth singling out for smaller businesses.
The first is shadow IT. The NCSC flags it directly: undocumented systems that bypass procurement, sitting outside the controls everyone else lives by. In a small business this is rarely deliberate sabotage. It is the marketing tool a previous manager signed up for on a personal card, the SaaS trial that quietly became production, the spare laptop that ended up running a process nobody else understands. You cannot decommission what you cannot see.
The second is data sanitisation. Wiping a disk by deleting files does not wipe it. Returning a leased laptop without a proper wipe hands over whatever was on it. Selling old NAS units on eBay is a steady source of recovered customer data. The guidance points at the NCSC's separate secure sanitisation document for the detail, and it is worth ten minutes of any director's time.
What this looks like in a small business
You probably don't have an asset management programme. That is fine. The version that fits a 20-person company is a single afternoon and a shared spreadsheet.
- Domains and DNS. Every domain you own, where it is registered, who can log into the registrar, and which ones still need to exist. Cancel the ones that don't. Lock the ones that do.
- Cloud and SaaS accounts. Microsoft 365, Google Workspace, AWS, Azure, Stripe, the CRM, the marketing tools, the analytics tools, the AI tools nobody told finance about. For each: is it still used, who owns it, what data is in it, and who has admin.
- Email aliases and shared mailboxes. Old
accounts@,sales@,info@addresses that route to people who left. Reset or close them. - Old user accounts. Leavers in Active Directory, leavers in every SaaS tool, contractor accounts with no end date. The NCSC's recommended steps include continuing to monitor for the impact of removals, because half of the breakage shows up in the days after a switch-off.
- Hardware. Old laptops in the cupboard, the server that "we kept just in case", the NAS that nobody backs up but everyone relies on. Decide: needed, sanitise and dispose, or sanitise and keep.
- Integrations and API keys. Every webhook, every service-to-service login, every long-lived token. The ones tied to former staff or retired tools are pure liability.
The goal is not a perfect register. It is a list short enough to be honest about, reviewed often enough to stay honest.
The decommissioning instinct worth building
The NCSC frames this as a lifecycle question: plan the end at the start. In practice, the habit that does most of the work is much smaller. When you stop using something, switch it off. Not "park it for now." Not "we'll come back to that next quarter." Off, locked down, account closed, domain released, key revoked.
It is the cheapest control there is. Nobody markets it because nobody can sell it. That is precisely why it gets skipped.
How Steelwise can help
Walking through what you've actually got, what should have been switched off years ago, and what's safe to decommission first is the kind of review we run for clients. Get in touch.