The trend of employees using personal devices for work is gaining popularity for many reasons, but for now let's zero in on one: Consumers tend to upgrade their devices sooner than their employers would. That's nice in that it means employees aren't working with outdated, and possibly insecure, gear and operating systems. In general, companies boarding the BYOD train will experience lower costs for IT assets, increased productivity, and happier employees.
However, as personal electronic devices gain more access to corporate data, whether through internal email, software, or files stored on the cloud, security is becoming a major concern. In particular, frequent smartphone upgrades demand an IT asset disposal (ITAD) policy, whether the device is being scrapped, sold, or traded in.
Consumers have lots of options to sell their used phones or tablets. It's our environmental responsibility to make sure the equipment will be reused, and if the employee gets a few bucks to put toward the cost of the upgraded version, all the better, right?
Sure, but it may not be better for the business. Robert Siciliano, an identity theft expert consulting for McAfee, disclosed in a recent exposé that over half of the 30 used devices he purchased online for the analysis (including smartphones, tablets, laptops, desktops, and netbooks) still contained information, even when the sellers believed they had purged the data. As if that's not bad enough, reports show it can take an expert less than three minutes to extract this data with relatively minimal effort. Passwords, network login screens – and other possibilities.
And the problems aren't just limited to selling or trading in a phone. It's also likely that employees using their own devices will at some point get a job with a competitor or lose their device. What then?
Before assuming you've you covered all your bases, make sure your ITAD policy avoids these problems:
1. Lack of clarity on policy Educate employees on your BYOD strategy, policy, and procedures. Clear communication is critical to cooperation. Not only will people using personal devices need to understand in-use restrictions – such as using a jail-broken device – they also need to know exactly what is expected of them in various circumstances, such as travel policies, theft, damage, trade-ins, and departure from the company.
Address all types of covered devices and disposal options. While narrowing your list of covered devices can make it easier for IT to provide support, don't get too restrictive. That goes against everything the BYOD implementation was set up to do -- provide convenience and productivity – and will force employees to sneak around behind IT's back. A too-narrow scope also could force you to constantly jump through hoops to add new covered devices to the list, resulting in a policy that's constantly being adjusted.
2. Lack of clarity on disposal options List disposal options and vendor contact information under each device within the policy to make options clear to employees.
Two common disposal methods involve employees selling or trading the device on their own (following provided specific disposal instructions) or – when stricter policies are enforced – the employees consulting with their IT departments on a disposal process already in place.
It's strongly advised that someone in IT should collect the phone for disposal so they can then inspect and install proper security features on the new phone. Not only will this process be more convenient for the employee, but can ensure compliance with internal data security procedures.
3. Lack of due diligence Many security requirements focus on working devices, but security needs to be taken seriously whether a device is being used or not. Disposal options should never be left solely up to the employee.
When deciding what vendor to partner with for a disposal program, use the same level of effort that's taken when choosing a vendor to manage your cloud security. Security requirements to look for in your IT asset disposal vendor should include onsite and offsite destruction, secure transportation, and options for wiping and/or degaussing. One standard to look for is the Transported Asset Protection Association (TAPA) certification. TAPA was created to prevent cargo theft and protect goods from being stolen during transit.
Other certifications to consider include Responsible Recycling (R2) and e-Stewards – the two most common standards in the industry. Recycling vendors with OHSAS 18001, ISO 9001 and 14001 certifications are considered companies that take environmental and employee health and safety seriously. These companies will be more likely to run efficient facilities with stronger regulations.
4. Lack of policy enforcement The flip side of having a strong communications plan in place that conveys restrictions is defining repercussions for those not following policy. An employee ignoring BYOD rules can lead to devastating corporate damage. The consequences for violating policy need to be clearly defined for all employees.
The key to success with the security of BYOD devices is to identify trends and jump ahead of the curve before disaster strikes. You will not regret taking the extra time to do the proper due diligence.
Attend the The Frictionless Enterprise: Built For Business webinar, learn to use the cloud for rapid functional trials and prototyping; fail fast (and recover even quicker); make mobility part of your productivity culture and your customer support; and reassess how you look at risk and the functions of IT. It happens June 18.
Steve Skurnac is the President of Sims Recycling Solutions, an electronics reuse and recycling company. View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.