Employees May Be Compromising Corporate Data With Decommissioned Devices

Employees May Be Compromising Corporate Data With Decommissioned Devices

Corporate data getting into the hands of someone outside the company is a frightening thought to most businesses.

While many enterprise IT departments are coming to terms with BYOD, a survey by Harris Interactive (on behalf of Fiberlink, a MDM provider), shows most BYOD employees are not properly disposing of or wiping corporate information from personal devices when they upgrade.

In July last year, Harris Interactive surveyed 2,243 U.S. adults ages 18 and older regarding whether they had disposed of corporate information before getting rid of the device. Only 16% had the data professionally wiped from the old device and only 5% had the device securely destroyed. While 58% of respondents kept the old device (though it remained inactive), 13% turned it over to their service provider; 11 percent said they donated the device, gave it away or threw it in the trash; and nine percent did something else with their previous device.

What this suggests, is that devices previously used for work in a corporate setting are now being given to family members or traded in for a new model.

What Does This Mean For The Enterprise?

While turning off remote email access is a simple step towards securing enterprise data, corporate BYO devices are increasingly being used to access other corporate data. Often, important documents and files will be stored on the device, in addition to data in mobile apps.

If corporate data is not wiped completely from the device before it is given away or decommissioned, there is the risk of sensitive data becoming public.

Simply wiping the device completely is an obvious answer to this issue, however, if the data is stored on a microSD card, wiping the device may not wipe the data stored on the memory card.

How To Prevent This

Enterprise IT will not only need to implement a robust BYOD policy, but ensure there are specific procedures to follow when decommissioning a BYO device.

Below are some tips from David Lingenfelter, information security officer at Fiberlink on how to improve your BYOD policy to protect corporate data:

[list style=”list1″ color=”green”]

  • Ensure the employee notifies the IT department if they are planning to swap devices.
  • IT should transfer all corporate material from the old device to the new device.
  • Remove and save all personal files from the old device.
  • Ensure that the old device is fully decommissioned by erasing all remaining corporate data. Most phones have a factory reset or ‘erase all data setting’, which will completely wipe the device of all data. Make sure if a microSD card was in use, that they manually remove it and use it in the new device or simply erase all the data from it as well.


All of the above can be made easier using a MDM platform, as devices can be wiped remotely, unenrolled from the corporate environment and data can be transferred easily (and securely) between devices among other benefits.

We’d like to know how your IT department handles decommissioned BYO devices, so share your thoughts in the comments below!