Light Dark
September 17, 2019 By Jasmine Henry 4 min read
Endpoint

The circle of life is predictable and short for corporate-owned mobile devices. Aging devices are ideally retired before they become a security or productivity risk, wiped clean and recycled. Disposal is a natural, important part of endpoint management, but it’s often beyond IT’s control.

The rise of bring-your-own-device (BYOD) culture has made it significantly more complicated to ensure mobile endpoints never ride into the sunset with sensitive data onboard. Many resold smartphones still contain damaging personal data. Others contain traces of wiped data that can be recovered by hackers with moderate forensic skills.

You can’t exactly solve for security by demanding employees turn in retired personal devices. Burying your BYOD policy also probably won’t work. Half of workers over 30 believe the tech tools they use in their personal lives are “more effective and productive” than corporate-owned tech, according to a study from Intel. The productivity and satisfaction benefits of a BYOD policy often outweigh the security challenges.

BYOD is officially in, and corporate-issued Blackberries are ancient history. But what happens to your mobile risk posture when an employee decides to upgrade?

Clear End-of-Life Procedures for Corporate Devices Are Crucial

The endpoint management life cycle isn’t done when a device is replaced. The last stage in the life cycle ideally involves fast, secure and sustainable disposal. However, recent studies show many enterprises are struggling to manage end-of-life procedures for corporate-owned devices. According to IT services firm Probrand, in the two months following the introduction of the General Data Protection Regulation (GDPR), 44 percent of businesses in the trade sector did not wipe data from redundant IT equipment before disposal. Seventy one percent lacked a formal process for IT asset disposal.

Creating an internal policy for secure disposal of corporate devices is crucial. Mobile endpoints should be comprehensively wiped with a unified endpoint management (UEM) solution before being recycled to minimize the environmental impact. Prospective partners with Transported Asset Protection Association (TAPA) certifications can reduce the risks that retired smartphones are sold through unauthorized channels on the gray market. Other certifications that signify environmental responsibility among device disposal specialists include Responsible Recycling (R2), e-Stewards, OSHAS 18001, ISO 9001 and ISO 14001.

You can’t manage the risks of BYOD device disposal without a solid baseline for securely and responsibly recycling your own assets. Once you’ve created a policy and process, it’s time to think about what happens when your BYOD workforce gears up for an upgrade.

Build a Substantive Security Culture

UEM solutions and a BYOD policy might not be enough to mitigate device disposal risks. Before you can measure and mitigate mobile risks, you need to understand your mixed mobile environment and adopt a substantive culture of security.

Critically, according to experts, you should understand how devices are used for “business workflows, app usage, file sharing, syncing, and so on.” This profile can reveal opportunities for better BYOD culture via smarter configurations, containerization or access management policy. Understanding your risk posture across corporate and personal endpoints can help you mitigate device security risks before BYOD devices are buried.

Create a Prescriptive Mobile Security Policy

Creating a BYOD policy is a sticky affair that is best managed as a collaborative effort between security, risk, operations and legal counsel. Your policy may be comprehensive and approved by your lawyers, but is it effective? Nearly half of employees admit they’ve bucked mobile security policies to get the job done, according to Verizon. Prescriptive policy makes it harder for employees to find a work-around without disrupting user experience.

A basic BYOD policy may dictate key best practices for personal device end-of-life processes, such as:

  • The employer’s right to access, monitor and delete data from BYOD endpoints;
  • The employee’s responsibility to provide notice for data to be wiped, backed up or removed from a device; and
  • Best practices for securely wiping and recycling personal devices.

A prescriptive policy puts these best practices into action. BYOD policy enforced through mobile device management (MDM) or UEM can provide the visibility to eliminate and minimize device risks before end-of-life, such as putting sensitive data on a personally owned device into a secure container or limiting employee data access according to role. Your BYOD policy probably can’t require employees to turn in personal mobile endpoints to your IT department, but it can become a prescriptive tool to avoid data exposure down the road.

Make Secure BYOD Disposal Appealing

Traditionally, the consumer mobile life cycle has been shorter than the corporate device life cycle. However, recent studies reveal that the tides are turning. As the market research firm Kantar Worldpanel noted earlier this year, Americans are waiting an average of 24.7 months to upgrade personal smartphones, a two-month increase over average ownership in 2015. According to researchers, consumers today are more likely to view their current device as “good enough.”

Creating subsidized, incentivized pathways for employees to securely recycle and upgrade personal devices makes sense for many enterprises. A buy-back program can be a particularly powerful tool for organizations that are shifting BYOD users to alternative models, such as corporate-owned, personally enabled (COPE) or personally owned, corporate-enabled (POCE) devices.

Your enterprise most likely cannot require employees to securely or sustainably dispose of personally owned devices through internal pathways. You can, however, mitigate the degree of sensitive data that is on a personal device that reaches end-of-life with UEM technologies for containerization and management. You can also make it easy and attractive for employees to securely recycle personal devices by offering subsidized upgrades, buy-back incentives or trade-in options.

Planning for BYOD End-of-Life Risks

Effective end-of-life procedures for personal mobile devices should be a whole-life cycle effort to understand risks, secure sensitive data and incentivize employees to dispose responsibly. BYOD disposal risk management should begin long before an employee’s device is posted for resale on eBay.

 |  |  |  |  |  |  |  |  |  | 
Jasmine Henry

More from Endpoint
November 28, 2023

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature