Employees with smartphones and tablets used in a BYOD scenario often leave confidential data on them when they replace them with new devices. This is a big mistake and exposes the company to great risk. Here's how to establish a policy for securely moving forward with a new BYOD device.
Mobile connected devices are the most sought after gifts this holiday season even beating out money, peace and happiness according to a recent study by the Consumer Electronics Association. But in the midst of the unmitigated joy the latest tablets and smartphones will bring comes a message of caution: when it comes time for out with the old, in with the new, BYOD workers need to deal with the data still sitting on discarded devices.
Right now they don't. MDM provider Fiberlink teamed up with Harris Interview to ask 2,243 workers what they had done with their previous mobile device when they upgraded to something new. Fifty eight percent of respondents said they kept the device, although inactive; 16 percent had the data professionally wiped; 13 percent turned the device over to the service provider; 11 percent donated the device, gave it away or threw it in the trash and five percent had the device securely destroyed. Most notable was that 68 percent of employees said they did not have their devices professionally wiped or securely destroyed when swapping them out for newer technology, according to Fiberlink.
The rapid pace of product upgrades in the device market has created new markets for people to sell their old device. Click here to read about three companies in this business.
"Whatever apps and information they have on there is still on there that's the concerning part," says David Lingenfelter, information security officer at Fiberlink. "The risk varies based on what you end up doing with the device. If you give a used device to your kid, chances are they won't do anything, but if you turn it into your carrier... they'll check to see if there's personal information on there. That's human nature; it's how people think."
He says it's really incumbent on the company, as much as the employee, to ensure that they know what to do when they get a new device for use at work.
"It's an education thing," Lingenfelter says, noting that people tend to forget about the specifics of a corporate BYOD policy, especially if it was implemented a long time ago. "They need to let employees know what to do with device... and the company should wipe it." In some cases, however, there is no policy. Seventy-eight percent of companies reported having some type of policy that specifically addresses mobile devices, according to a study by the Cloud Security Alliance. "With the majority of 69 percent having a low maturity of policy from non-existent to partially addressing mobile device security and privacy controls it seems most organizations are still wrestling with some of the tougher privacy directives of BYOD owners and organizational data security on BYOD," the study noted.
If there is a BYOD policy in place, the issue of discarding corporate data will depend on how the company set up the policy; if the employee turns off the carrier signal, the MDM agent on the device may alert IT, says Lingenfelter. In such a case, IT can contact the end user to asked what happened to the device and what they are planning to do with it. But in other situations, the employee will not know what to do and may just end up turning off the device and leaving potentially sensitive data on it.
The bottom line, says Lingenfelter, is the company needs to have a policy, someone to enforce that policy and make sure users are aware of what the policy says.
Fiberlink has issued a four-step process for deactivating a device:
Notify Your IT Department Once you receive a new device and want to use it for your company's BYOD program, send your IT department a note and let them know you will be swapping devices.
Transfer Corporate Materials to Your New Device Have your IT department quickly transfer all corporate materials from the old device to the new device through the MDM platform. If you don't have an MDM solution in place, ask your IT department to assist with transferring data, although this is more complicated and could take longer.
Extract Personal Data from Your Devicee Once your corporate data has been transferred to the new device, remove and save all personal files. This can be accomplished with the native tools and back-up services of the operative system or the manufacture (e.g., Apple's iCloud or Google Drive).
Erase all Remaining Personal and Corporate Data Fully decommission the old device by removing all personal and corporate data. Make sure to delete all data. Most devices have an option in the setting menu to perform a factory data reset, which will wipe the data completely. This can also be accomplished remotely by an MDM platform. Note: In some tablets and smartphones, you should manually remove the storage card and use it in your new device or erase the data from it as well.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!