Protecting corporate data when swapping BYOD devices

BYOD has been more readily accepted here than in other parts of the world, but does your organisation’s BYOD policy cover decommissioning devices?

BYOD has been more readily accepted here than in other parts of the world. While nearly half (48%) of respondents in Australasia said that their enterprise allows BYOD, only 28% of European countries allow BYOD, for instance.

However, a recent survey conducted by Harris Interactive has revealed a new security concern: the failure to properly decommission old devices. The survey, which polled around 2,200 BYOD employees in the US, found that most do not suitably dispose of corporate information stored on their current device when they upgrade. The results revealed:
 

  • 58% kept the old device
  • 16% had corporate data professionally wiped from the old device
  • 13% returned the device to their service provider
  • 11% donated, gave away, or threw out their device
  • 5% had the device securely destroyed
  • 9% did something else with the device

“This is the beginning of something we haven’t seen before, which is the retirement of devices that aren’t going to end up back in IT’s hands,” David Lingenfelter, information security officer at Fiberlink, told CIO.com. Lingenfelter observed that many employees are trading devices in, or handing them down to children or siblings. He recommended including provisions for the decommissioning of BYOD devices in an organisations BYOD policy.

Fiberlink, which commissioned the Harris Interactive survey, has developed a four-step process for decommissioning mobile devices:
 

  1. Notify the IT department: Employees should inform the IT department when they intend to swap devices to use under the organisation’s BYOD program.
     
  2. Transfer corporate materials to the new device: Have the IT department transfer all corporate materials from the old device to the new one.
     
  3. Extract personal data from the old device.
     
  4. Erase all remaining personal and corporate data.