Subscribe to CIO Magazine »

Are BYOD Employees Decommissioning Mobile Devices Properly?

Sales of mobile devices are expected to surge this holiday season. Whether your firm has embraced bring-your-own-device (BYOD) or elected to look the other way that means many of your employees can be expected to upgrade their tablets and smartphones. But what about their old devices? Will they be decommissioned properly?

According to a new survey by Harris Interactive--on behalf of Fiberlink, a provider of mobile device management (MDM) and mobile application management (MAM) solutions--the answer is probably not.

In July, Harris Interactive polled 2,243 U.S. adults ages 18 and older and found that most BYOD employees are not properly disposing of or wiping corporate information from personal devices when they upgrade.

Harris found that among U.S. adults who previously had a smartphone and/or tablet use for work and who have now upgraded, only 16 percent had the data professionally wiped from the old device and only five percent had the device securely destroyed. Most respondents (58 percent) kept the old device though it remained inactive; 13 percent turned it over to their service provider; 11 percent said they donated the device, gave it away or threw it in the trash; and nine percent did something else with their previous device.

BYOD Devices Don't Go IT After Upgrade

"This is the beginning of something we haven't seen before, which is the retirement of devices that aren't going to end up back in IT's hands," says David Lingenfelter, information security officer at Fiberlink. "Some people are handing them off to their kids to use, whether they keep a cellular service on it or just use it as a Wi-Fi device. We're seeing a lot of trade-ins and hand-offs to children or siblings that aren't associated with the company. And when you trade a device in, the people you're trading it into may or may not wipe it before they auction it off or sell it as a used device."

And while turning off email access remotely is a simple matter, this past year has seen a spike in the use of personally owned mobile devices used to access other corporate data, Lingenfelter says. They often store important documents and files, not to mention data in mobile apps. Additionally, properly wiping a device is not necessarily straightforward. For instance, Lingenfelter says, if a device has a microSD card, wiping the device may not wipe the memory on the card.

To deal with this issue, Lingenfelter recommends adding provisions for decommissioning BYOD devices to your BYOD or mobile policy.

"I think it's really important that companies have a BYOD policy, not just to protect the company but to protect the consumer," he says. "There needs to be something in the policy to say whether the company does or does not have rights to the data on the device. In this case I think you can spin it to the end user. It's not just corporate data you have to worry about, it's all your own personal information too."

A Four-Step Process for Decommissioning Mobile Devices

Fiberlink recommends IT departments ask employees to follow a four-step process for decommissioning mobile devices:

Notify the IT department. Once employees receive a new device to use with the company's BYOD program, they should send a note to the IT department to let IT know they plan to swap devices.

Transfer corporate materials to the new device. IT can transfer all corporate materials from the old device to the new device. This can be relatively painless with an MDM solution but can also be done without one.

Extract personal data from the device. Remove and save all personal files from the old device.

Erase all remaining corporate data. Fully decommission the old device. Most devices have an option in the setting menu to perform a factory data reset to wipe all the data completely (if your company uses an MDM platform, it can wipe the data remotely). If your device has a microSD card, manually remove it and use it in your new device or erase the data from it as well.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: consumer electronics, security, smartphones
Latest Blog Posts
  • Top 20 Critical Security Controls - Compliance Guide
    Simply being compliant is not enough to mitigate attacks and protect critical information. Organizations can reduce chances of compromise by shifting away from a compliance-driven approach. This guide provides the Top 20 Critical Security Controls (CSCs) developed by the SANS Institute to address the need for a risk-based approach to security.
    Learn more »
  • Rebranded Quadmark revamps its IT solutions with Google Apps
    The Singapore office was using Exchange as its email server but encountered various issues such as storage capacity limitations and difficulty in managing spam. Adding new users to the server was also a hassle that often required a third party vendor, resulting in a waste of time and resources. Quadmark also experienced email performance issues that slowed down their employees’ response time, leading to frustration among staff and clients. Quadmark’s management felt that it was unacceptable to continue it’s current solution and thus decided to streamline its IT infrastructure alongside its rebranding plans. The business wanted a unified and consolidated email service for its various offices. Quadmark also wanted to be able to house files and documents on the cloud.
    Learn more »
  • Case Study: ETEL Limited
    Read how ETEL Limited, a pioneering design and manufacture business in New Zealand, managed to perfect their expansion into new markets by utilising an ERP system to support growth and provide “one source for truth” accessible to the entire organisation.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Salary Calculator

Supplied by

View the full Peoplebank ICT Salary & Employment Index