Are BYOD Employees Decommissioning Mobile Devices Properly?

An information security officer recommends adding procedures for decommissioning devices to your BYOD policy before your BYOD employees upgrade to the latest smartphones and tablets this holiday season.

Thu, December 13, 2012

CIO — Sales of mobile devices are expected to surge this holiday season. Whether your firm has embraced bring-your-own-device (BYOD) or elected to look the other way that means many of your employees can be expected to upgrade their tablets and smartphones. But what about their old devices? Will they be decommissioned properly?

According to a new survey by Harris Interactive—on behalf of Fiberlink, a provider of mobile device management (MDM) and mobile application management (MAM) solutions—the answer is probably not.

In July, Harris Interactive polled 2,243 U.S. adults ages 18 and older and found that most BYOD employees are not properly disposing of or wiping corporate information from personal devices when they upgrade.

Harris found that among U.S. adults who previously had a smartphone and/or tablet use for work and who have now upgraded, only 16 percent had the data professionally wiped from the old device and only five percent had the device securely destroyed. Most respondents (58 percent) kept the old device though it remained inactive; 13 percent turned it over to their service provider; 11 percent said they donated the device, gave it away or threw it in the trash; and nine percent did something else with their previous device.

BYOD Devices Don't Go IT After Upgrade

"This is the beginning of something we haven't seen before, which is the retirement of devices that aren't going to end up back in IT's hands," says David Lingenfelter, information security officer at Fiberlink. "Some people are handing them off to their kids to use, whether they keep a cellular service on it or just use it as a Wi-Fi device. We're seeing a lot of trade-ins and hand-offs to children or siblings that aren't associated with the company. And when you trade a device in, the people you're trading it into may or may not wipe it before they auction it off or sell it as a used device."

And while turning off email access remotely is a simple matter, this past year has seen a spike in the use of personally owned mobile devices used to access other corporate data, Lingenfelter says. They often store important documents and files, not to mention data in mobile apps. Additionally, properly wiping a device is not necessarily straightforward. For instance, Lingenfelter says, if a device has a microSD card, wiping the device may not wipe the memory on the card.

To deal with this issue, Lingenfelter recommends adding provisions for decommissioning BYOD devices to your BYOD or mobile policy.

Continue Reading

Our Commenting Policies