MaaS360 by IBM provides 6 tips for the decommission of bring-your-own-devices in the enterprise
In the world of bring-your-own-device policies, users may run through multiple devices per year – a departure from the typical 18-month or two-year upgrade for the general population. As BYOD grows, mobile phones and tablets, versus the traditional laptop or desktop, are predicted to account for a majority of enterprise online activity by 2018. But while IT departments are embracing this phenomenon and becoming smarter about the new IT security challenges BYOD is creating, employees – aka those on the front lines – are often abysmally uninformed about keeping their device, and the data on it, protected. Many employees do not seem to understand the risk of using insecure mobile devices and apps in the workplace or why an employer may ban them. According to research from the Ponemon Institute, only 20% of employees say they have received training on the security of mobile content access and management in the workplace.
When looking at the lifespan of a BYO device, properly decommissioning an old one used for work can often be overlooked, however it is incredibly important to the security of corporate (and personal) data. As employees look toward purchasing the latest and greatest (and likely second or third) device, many are either selling their older phones or tablets to the Gazelles of the world, handing down their old devices to family and friends or simply donating them. I know very few kids anymore who are not carrying their own devices or begging for their parents (fully capable) older devices. At the surface this may seem harmless – but ignoring, or forgetting about, the presence of any sensitive corporate or personal data left on a hand-me-down device can create security issues. What those devices, their apps and even aftermarket memory cards carry with them into the afterlife, could put your business and personal data at risk. (Whoops, how did someone get my pictures?)
Securing a smartphone before you discard it is not difficult, but many people simply don’t take the process seriously, or don’t realize they should be responsible for clearing out their old phone or tablet – choosing instead to reply upon mail-in device recycling services to handle the scrubbing process. That is not to say these businesses shouldn’t be trusted, but with any exchange of personal information, users can never be too careful. There is simply no way to be sure.
Being negligent about proper device wiping can not only put a company at risk, it could put a former device owner’s job on the line. In many cases, employees are responsible for protecting the corporate data they have on their personal devices and will be held accountable if that information is compromised. If you are thinking about moving to greener device pastures, here are six simple, must-have tips on doing so securely:
Notify your IT department
Even though it was your device, if you buy a new device and want to use it as part of your company’s BYOD program, send your IT department a note and let them know you will be swapping devices. Your IT department should be able to remotely remove all corporate apps and data from your device. Many times, users feel that BYOD is on them and there is no need to contact IT. Users should think of this step as best practice for everyone’s safeguard.
Backup and extract personal data from your device
This can usually be accomplished with the native tools and back-up services of the operating system or the manufacturer (e.g., Apple iCloud and Google Drive). This should be quick and easy. Just double check to ensure all files you want have in fact transferred. No one wants to lose family pictures.
Remember the memory card
Memory cards can be a common oversight, but it’s important to remember that some mobile devices are configured to save data on one. When you deactivate a phone, any memory card should be removed. If you do not intend to reuse the same card in your new device, wipe this clean as well.
Don’t forget to wipe, if necessary
The “factory data reset” function on an Android or the “reset” function on an iPhone or iPad are good ways to wipe all data before retiring a mobile device or passing it on to another family member. This is your best insurance policy. Many people shy away from doing this as they feel they will “lose” something. One you have confirmed that you have all your data on your new device … there is no longer a reason to wait on this step.
Handing down? Tell new owners to get their own accounts
Remind family or friends receiving your old device to create individual user accounts for Google and Apple, as well as unique user accounts for any applications. Sharing user accounts across devices and applications could lead to data leak through someone else’s device. It’s just a bad practice. For kids, Amazon, Microsoft, Apple and Google all offer different types of child accounts and parental controls.
Strongly consider a six-digit PIN on your device
Research from IBM Security into one million BYOD and corporate-issued devices found nearly 80% of companies enforce only the most basic option to protect their data on employees’ phones: a four-to-five digit PIN. If your enterprise doesn’t already require lengthier passwords, switch to a longer PIN anyway.
Overall, anyone swapping out devices is urged to take caution and do so properly. We are using our devices to share and store more information than ever before, and with this freedom comes inherent risk for both enterprises and consumers.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.