December 13, 2012 (Featured on CIO)
In July, Harris Interactive polled 2,243 U.S. adults ages 18 and older and found that most BYOD employees are not properly disposing of or wiping corporate information from personal devices when they upgrade.
Harris found that among U.S. adults who previously had a smartphone and/or tablet use for work and who have now upgraded, only 16 percent had the data professionally wiped from the old device and only five percent had the device securely destroyed. Most respondents (58 percent) kept the old device though it remained inactive; 13 percent turned it over to their service provider; 11 percent said they donated the device, gave it away or threw it in the trash; and nine percent did something else with their previous device.
BYOD Devices Don’t Go IT After Upgrade
“This is the beginning of something we haven’t seen before, which is the retirement of devices that aren’t going to end up back in IT’s hands,” says David Lingenfelter, information security officer at Fiberlink. “Some people are handing them off to their kids to use, whether they keep a cellular service on it or just use it as a Wi-Fi device. We’re seeing a lot of trade-ins and hand-offs to children or siblings that aren’t associated with the company. And when you trade a device in, the people you’re trading it into may or may not wipe it before they auction it off or sell it as a used device.”
And while turning off email access remotely is a simple matter, this past year has seen a spike in the use of personally owned mobile devices used to access other corporate data, Lingenfelter says. They often store important documents and files, not to mention data in mobile apps. Additionally, properly wiping a device is not necessarily straightforward. For instance, Lingenfelter says, if a device has a microSD card, wiping the device may not wipe the memory on the card.
To deal with this issue, Lingenfelter recommends adding provisions for decommissioning BYOD devices to your BYOD or mobile policy.
“I think it’s really important that companies have a BYOD policy, not just to protect the company but to protect the consumer,” he says. “There needs to be something in the policy to say whether the company does or does not have rights to the data on the device. In this case I think you can spin it to the end user. It’s not just corporate data you have to worry about, it’s all your own personal information too.”
A Four-Step Process for Decommissioning Mobile Devices
Fiberlink recommends IT departments ask employees to follow a four-step process for decommissioning mobile devices:
- Notify the IT department. Once employees receive a new device to use with the company’s BYOD program, they should send a note to the IT department to let IT know they plan to swap devices.
- Transfer corporate materials to the new device. IT can transfer all corporate materials from the old device to the new device. This can be relatively painless with an MDM solution but can also be done without one.
- Extract personal data from the device. Remove and save all personal files from the old device.
- Erase all remaining corporate data. Fully decommission the old device. Most devices have an option in the setting menu to perform a factory data reset to wipe all the data completely (if your company uses an MDM platform, it can wipe the data remotely). If your device has a microSD card, manually remove it and use it in your new device or erase the data from it as well.