The circle of life is predictable and short for corporate-owned mobile devices. Aging devices are ideally retired before they become a security or productivity risk, wiped clean and recycled. Disposal is a natural, important part of endpoint management, but it’s often beyond IT’s control.

The rise of bring-your-own-device (BYOD) culture has made it significantly more complicated to ensure mobile endpoints never ride into the sunset with sensitive data onboard. Many resold smartphones still contain damaging personal data. Others contain traces of wiped data that can be recovered by hackers with moderate forensic skills.

You can’t exactly solve for security by demanding employees turn in retired personal devices. Burying your BYOD policy also probably won’t work. Half of workers over 30 believe the tech tools they use in their personal lives are “more effective and productive” than corporate-owned tech, according to a study from Intel. The productivity and satisfaction benefits of a BYOD policy often outweigh the security challenges.

BYOD is officially in, and corporate-issued Blackberries are ancient history. But what happens to your mobile risk posture when an employee decides to upgrade?

Clear End-of-Life Procedures for Corporate Devices Are Crucial

The endpoint management life cycle isn’t done when a device is replaced. The last stage in the life cycle ideally involves fast, secure and sustainable disposal. However, recent studies show many enterprises are struggling to manage end-of-life procedures for corporate-owned devices. According to IT services firm Probrand, in the two months following the introduction of the General Data Protection Regulation (GDPR), 44 percent of businesses in the trade sector did not wipe data from redundant IT equipment before disposal. Seventy one percent lacked a formal process for IT asset disposal.

Creating an internal policy for secure disposal of corporate devices is crucial. Mobile endpoints should be comprehensively wiped with a unified endpoint management (UEM) solution before being recycled to minimize the environmental impact. Prospective partners with Transported Asset Protection Association (TAPA) certifications can reduce the risks that retired smartphones are sold through unauthorized channels on the gray market. Other certifications that signify environmental responsibility among device disposal specialists include Responsible Recycling (R2), e-Stewards, OSHAS 18001, ISO 9001 and ISO 14001.

You can’t manage the risks of BYOD device disposal without a solid baseline for securely and responsibly recycling your own assets. Once you’ve created a policy and process, it’s time to think about what happens when your BYOD workforce gears up for an upgrade.

Build a Substantive Security Culture

UEM solutions and a BYOD policy might not be enough to mitigate device disposal risks. Before you can measure and mitigate mobile risks, you need to understand your mixed mobile environment and adopt a substantive culture of security.

Critically, according to experts, you should understand how devices are used for “business workflows, app usage, file sharing, syncing, and so on.” This profile can reveal opportunities for better BYOD culture via smarter configurations, containerization or access management policy. Understanding your risk posture across corporate and personal endpoints can help you mitigate device security risks before BYOD devices are buried.

Create a Prescriptive Mobile Security Policy

Creating a BYOD policy is a sticky affair that is best managed as a collaborative effort between security, risk, operations and legal counsel. Your policy may be comprehensive and approved by your lawyers, but is it effective? Nearly half of employees admit they’ve bucked mobile security policies to get the job done, according to Verizon. Prescriptive policy makes it harder for employees to find a work-around without disrupting user experience.

A basic BYOD policy may dictate key best practices for personal device end-of-life processes, such as:

  • The employer’s right to access, monitor and delete data from BYOD endpoints;
  • The employee’s responsibility to provide notice for data to be wiped, backed up or removed from a device; and
  • Best practices for securely wiping and recycling personal devices.

A prescriptive policy puts these best practices into action. BYOD policy enforced through mobile device management (MDM) or UEM can provide the visibility to eliminate and minimize device risks before end-of-life, such as putting sensitive data on a personally owned device into a secure container or limiting employee data access according to role. Your BYOD policy probably can’t require employees to turn in personal mobile endpoints to your IT department, but it can become a prescriptive tool to avoid data exposure down the road.

Make Secure BYOD Disposal Appealing

Traditionally, the consumer mobile life cycle has been shorter than the corporate device life cycle. However, recent studies reveal that the tides are turning. As the market research firm Kantar Worldpanel noted earlier this year, Americans are waiting an average of 24.7 months to upgrade personal smartphones, a two-month increase over average ownership in 2015. According to researchers, consumers today are more likely to view their current device as “good enough.”

Creating subsidized, incentivized pathways for employees to securely recycle and upgrade personal devices makes sense for many enterprises. A buy-back program can be a particularly powerful tool for organizations that are shifting BYOD users to alternative models, such as corporate-owned, personally enabled (COPE) or personally owned, corporate-enabled (POCE) devices.

Your enterprise most likely cannot require employees to securely or sustainably dispose of personally owned devices through internal pathways. You can, however, mitigate the degree of sensitive data that is on a personal device that reaches end-of-life with UEM technologies for containerization and management. You can also make it easy and attractive for employees to securely recycle personal devices by offering subsidized upgrades, buy-back incentives or trade-in options.

Planning for BYOD End-of-Life Risks

Effective end-of-life procedures for personal mobile devices should be a whole-life cycle effort to understand risks, secure sensitive data and incentivize employees to dispose responsibly. BYOD disposal risk management should begin long before an employee’s device is posted for resale on eBay.

More from Endpoint

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response. Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats. Signature-Based Antivirus Software Signature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…