Are BYOD Employees Decommissioning Mobile Devices Properly?

Sales of mobile devices are expected to surge this holiday season. Whether your firm has embraced bring-your-own-device (BYOD) or elected to look the other way that means many of your employees can be expected to upgrade their tablets and smartphones. But what about their old devices? Will they be decommissioned properly?

According to a new survey by Harris Interactive--on behalf of Fiberlink, a provider of mobile device management (MDM) and mobile application management (MAM) solutions--the answer is probably not.

In July, Harris Interactive polled 2,243 U.S. adults ages 18 and older and found that most BYOD employees are not properly disposing of or wiping corporate information from personal devices when they upgrade.

Harris found that among U.S. adults who previously had a smartphone and/or tablet use for work and who have now upgraded, only 16 percent had the data professionally wiped from the old device and only five percent had the device securely destroyed. Most respondents (58 percent) kept the old device though it remained inactive; 13 percent turned it over to their service provider; 11 percent said they donated the device, gave it away or threw it in the trash; and nine percent did something else with their previous device.

BYOD Devices Don't Go IT After Upgrade

"This is the beginning of something we haven't seen before, which is the retirement of devices that aren't going to end up back in IT's hands," says David Lingenfelter, information security officer at Fiberlink. "Some people are handing them off to their kids to use, whether they keep a cellular service on it or just use it as a Wi-Fi device. We're seeing a lot of trade-ins and hand-offs to children or siblings that aren't associated with the company. And when you trade a device in, the people you're trading it into may or may not wipe it before they auction it off or sell it as a used device."

And while turning off email access remotely is a simple matter, this past year has seen a spike in the use of personally owned mobile devices used to access other corporate data, Lingenfelter says. They often store important documents and files, not to mention data in mobile apps. Additionally, properly wiping a device is not necessarily straightforward. For instance, Lingenfelter says, if a device has a microSD card, wiping the device may not wipe the memory on the card.

To deal with this issue, Lingenfelter recommends adding provisions for decommissioning BYOD devices to your BYOD or mobile policy.

"I think it's really important that companies have a BYOD policy, not just to protect the company but to protect the consumer," he says. "There needs to be something in the policy to say whether the company does or does not have rights to the data on the device. In this case I think you can spin it to the end user. It's not just corporate data you have to worry about, it's all your own personal information too."

A Four-Step Process for Decommissioning Mobile Devices

Fiberlink recommends IT departments ask employees to follow a four-step process for decommissioning mobile devices:

Notify the IT department. Once employees receive a new device to use with the company's BYOD program, they should send a note to the IT department to let IT know they plan to swap devices.

Transfer corporate materials to the new device. IT can transfer all corporate materials from the old device to the new device. This can be relatively painless with an MDM solution but can also be done without one.

Extract personal data from the device. Remove and save all personal files from the old device.

Erase all remaining corporate data. Fully decommission the old device. Most devices have an option in the setting menu to perform a factory data reset to wipe all the data completely (if your company uses an MDM platform, it can wipe the data remotely). If your device has a microSD card, manually remove it and use it in your new device or erase the data from it as well.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicssecuritysmartphones

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place