The news that personal computer sales tanked as consumers snapped up shiny new tablets and smartphones during the holiday season may have set off a wave of worry in corporate IT departments. After all, employees using personal mobile devices for work – whether sanctioned by the company with an official BYOD policy or not – can be careless when disposing of their old devices.
A Harris Interactive survey commissioned by Fiberlink found that just 16 percent of adults who use mobile devices for work had data professionally wiped from old devices when they got a new one. Even fewer, 5 percent, had the old device securely destroyed.
Most survey respondents, 58 percent, said they kept old devices. Thirteen percent returned devices to service providers without first wiping their data, while 11 percent donated devices, gave them away or just tossed them in the trash.
Assessing such risks should be a key part of any mobility program, and risk avoidance should be clearly addressed in BYOD policies. Ideally IT departments will take the time to reinforce policies through user education.
When I wrote last month about an EY report that offered advice on creating effective BYOD policies, a reader contributed this comment:
"… Our hospital put a BYOD policy in place to use Tigertext for HIPAA complaint text messaging, but the doctors still used their unsecure regular SMS text messaging. Even though we had a good BYOD policy, it wasn't enough; we had to bring each doctor in to admin for 15 minutes of training and explaining the HIPAA issues and how to use the app correctly. Now we have the doctors in compliance which has significantly lowered the cyber-security risks and increased productivity for the doctors and the hospital. …"
David Lingenfelter, information security officer at Fiberlink, also recommends that IT administrators educate their employees on the correct process for swapping out their mobile devices.
Fiberlink's suggested process for mobile users:
- Notify the IT Department. When you receive a new device and want to use it for your company’s BYOD program, let the IT department know you will be swapping devices.
- Transfer Corporate Data to Your New Device. Have your IT department configure the device to access your corporate data. This will be easier for those working for companies with mobile device management (MDM) solutions, which can automatically push down corporate email, applications and documents.
- Extract Personal Data from Your Device. After corporate data has been transferred to the new device, save all personal files from your old device. This can be accomplished using the native tools and back-up services of the operative system or the manufacturer (examples: Apple’s iCloud and Google Drive).
- Erase Remaining Personal and Corporate Data. After transferring files you want to save, remove all personal and corporate data. Make sure to delete all data.
- Go Ahead and Wipe, if Necessary. The "factory data reset" function on an Android or the "reset" function on an iPhone or iPad are good ways to wipe all data before retiring a mobile device or passing it on to a family member or someone else. Remember to check with your IT department prior to performing a reset if you are enrolled in a BYOD program.
- Don’t Forget the SD Card. Some mobile devices are configured to save data on a SD Card, which can contain sensitive information. When you deactivate a phone, remove any SD cards.
- Protect Your New Mobile Device. Keep personal and professional data separated, and always password protect your information.
Ann All is the editor of eSecurity Planet and Enterprise Apps Today. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.