Mobile Device Disposal: Best Practices for Burying BYOD Endpoints Without Risk
By Jasmine Henry
The circle of life is predictable and short for corporate-owned mobile devices. Aging devices are ideally retired before they become a security or productivity risk, wiped clean and recycled. Disposal is a natural, important part of endpoint management, but it’s often beyond IT’s control.
The rise of bring-your-own-device (BYOD) culture has made it significantly more complicated to ensure mobile endpoints never ride into the sunset with sensitive data onboard. Many resold smartphones still contain damaging personal data. Others contain traces of wiped data that can be recovered by hackers with moderate forensic skills.
You can’t exactly solve for security by demanding employees turn in retired personal devices. Burying your BYOD policy also probably won’t work. Half of workers over 30 believe the tech tools they use in their personal lives are “more effective and productive” than corporate-owned tech, according to a study from Intel. The productivity and satisfaction benefits of a BYOD policy often outweigh the security challenges.
BYOD is officially in, and corporate-issued Blackberries are ancient history. But what happens to your mobile risk posture when an employee decides to upgrade?
Clear End-of-Life Procedures for Corporate Devices Are Crucial
The endpoint management life cycle isn’t done when a device is replaced. The last stage in the life cycle ideally involves fast, secure and sustainable disposal. However, recent studies show many enterprises are struggling to manage end-of-life procedures for corporate-owned devices. According to IT services firm Probrand, in the two months following the introduction of the General Data Protection Regulation (GDPR), 44 percent of businesses in the trade sector did not wipe data from redundant IT equipment before disposal. Seventy one percent lacked a formal process for IT asset disposal.
Creating an internal policy for secure disposal of corporate devices is crucial. Mobile endpoints should be comprehensively wiped with a unified endpoint management (UEM) solution before being recycled to minimize the environmental impact. Prospective partners with Transported Asset Protection Association (TAPA) certifications can reduce the risks that retired smartphones are sold through unauthorized channels on the gray market. Other certifications that signify environmental responsibility among device disposal specialists include Responsible Recycling (R2), e-Stewards, OSHAS 18001, ISO 9001 and ISO 14001.
You can’t manage the risks of BYOD device disposal without a solid baseline for securely and responsibly recycling your own assets. Once you’ve created a policy and process, it’s time to think about what happens when your BYOD workforce gears up for an upgrade.
Build a Substantive Security Culture
UEM solutions and a BYOD policy might not be enough to mitigate device disposal risks. Before you can measure and mitigate mobile risks, you need to understand your mixed mobile environment and adopt a substantive culture of security.
Critically, according to experts, you should understand how devices are used for “business workflows, app usage, file sharing, syncing, and so on.” This profile can reveal opportunities for better BYOD culture via smarter configurations, containerization or access management policy. Understanding your risk posture across corporate and personal endpoints can help you mitigate device security risks before BYOD devices are buried.
Create a Prescriptive Mobile Security Policy
Creating a BYOD policy is a sticky affair that is best managed as a collaborative effort between security, risk, operations and legal counsel. Your policy may be comprehensive and approved by your lawyers, but is it effective? Nearly half of employees admit they’ve bucked mobile security policies to get the job done, according to Verizon. Prescriptive policy makes it harder for employees to find a work-around without disrupting user experience.
A basic BYOD policy may dictate key best practices for personal device end-of-life processes, such as:
- The employer’s right to access, monitor and delete data from BYOD endpoints;
- The employee’s responsibility to provide notice for data to be wiped, backed up or removed from a device; and
- Best practices for securely wiping and recycling personal devices.
A prescriptive policy puts these best practices into action. BYOD policy enforced through mobile device management (MDM) or UEM can provide the visibility to eliminate and minimize device risks before end-of-life, such as putting sensitive data on a personally owned device into a secure container or limiting employee data access according to role. Your BYOD policy probably can’t require employees to turn in personal mobile endpoints to your IT department, but it can become a prescriptive tool to avoid data exposure down the road.
Make Secure BYOD Disposal Appealing
Traditionally, the consumer mobile life cycle has been shorter than the corporate device life cycle. However, recent studies reveal that the tides are turning. As the market research firm Kantar Worldpanel noted earlier this year, Americans are waiting an average of 24.7 months to upgrade personal smartphones, a two-month increase over average ownership in 2015. According to researchers, consumers today are more likely to view their current device as “good enough.”
Creating subsidized, incentivized pathways for employees to securely recycle and upgrade personal devices makes sense for many enterprises. A buy-back program can be a particularly powerful tool for organizations that are shifting BYOD users to alternative models, such as corporate-owned, personally enabled (COPE) or personally owned, corporate-enabled (POCE) devices.
Your enterprise most likely cannot require employees to securely or sustainably dispose of personally owned devices through internal pathways. You can, however, mitigate the degree of sensitive data that is on a personal device that reaches end-of-life with UEM technologies for containerization and management. You can also make it easy and attractive for employees to securely recycle personal devices by offering subsidized upgrades, buy-back incentives or trade-in options.
Planning for BYOD End-of-Life Risks
Effective end-of-life procedures for personal mobile devices should be a whole-life cycle effort to understand risks, secure sensitive data and incentivize employees to dispose responsibly. BYOD disposal risk management should begin long before an employee’s device is posted for resale on eBay.