BYOD Trade-Ins: How To Protect Your Business - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
03:00 PM
Steve Skurnac
Steve Skurnac

BYOD Trade-Ins: How To Protect Your Business

Without an IT asset disposal policy, that iPhone an employee just unloaded on eBay could be a time bomb.

If you haven't yet implemented a bring-your-own-device (BYOD) program, odds are you will soon. Juniper Research estimates that by 2018, more than 1 billion workers will use their own smartphones or tablets for business.

The trend of employees using personal devices for work is gaining popularity for many reasons, but for now let's zero in on one: Consumers tend to upgrade their devices sooner than their employers would. That's nice in that it means employees aren't working with outdated, and possibly insecure, gear and operating systems. In general, companies boarding the BYOD train will experience lower costs for IT assets, increased productivity, and happier employees.  

However, as personal electronic devices gain more access to corporate data, whether through internal email, software, or files stored on the cloud, security is becoming a major concern. In particular, frequent smartphone upgrades demand an IT asset disposal (ITAD) policy, whether the device is being scrapped, sold, or traded in.

[To secure employee-owned smartphones, it takes a practical, enforceable set of guidelines.Read BYOD: Build A Policy That Works]

Consumers have lots of options to sell their used phones or tablets. It's our environmental responsibility to make sure the equipment will be reused, and if the employee gets a few bucks to put toward the cost of the upgraded version, all the better, right? 

Sure, but it may not be better for the business. Robert Siciliano, an identity theft expert consulting for McAfee, disclosed in a recent exposé that over half of the 30 used devices he purchased online for the analysis (including smartphones, tablets, laptops, desktops, and netbooks) still contained information, even when the sellers believed they had purged the data. As if that's not bad enough, reports show it can take an expert less than three minutes to extract this data with relatively minimal effort. Passwords, network login screens – and other possibilities.

And the problems aren't just limited to selling or trading in a phone. It's also likely that employees using their own devices will at some point get a job with a competitor or lose their device. What then?

Before assuming you've you covered all your bases, make sure your ITAD policy avoids these problems: 

1. Lack of clarity on policy
Educate employees on your BYOD strategy, policy, and procedures. Clear communication is critical to cooperation. Not only will people using personal devices need to understand in-use restrictions – such as using a jail-broken device – they also need to know exactly what is expected of them in various circumstances, such as travel policies, theft, damage, trade-ins, and departure from the company.

Address all types of covered devices and disposal options. While narrowing your list of covered devices can make it easier for IT to provide support, don't get too restrictive. That goes against everything the BYOD implementation was set up to do -- provide convenience and productivity – and will force employees to sneak around behind IT's back. A too-narrow scope also could force you to constantly jump through hoops to add new covered devices to the list, resulting in a policy that's constantly being adjusted.

2. Lack of clarity on disposal options
List disposal options and vendor contact information under each device within the policy to make options clear to employees. 

Two common disposal methods involve employees selling or trading the device on their own (following provided specific disposal instructions) or – when stricter policies are enforced – the employees consulting with their IT departments on a disposal process already in place.

It's strongly advised that someone in IT should collect the phone for disposal so they can then inspect and install proper security features on the new phone. Not only will this process be more convenient for the employee, but can ensure compliance with internal data security procedures. 

3. Lack of due diligence
Many security requirements focus on working devices, but security needs to be taken seriously whether a device is being used or not. Disposal options should never be left solely up to the employee. 

When deciding what vendor to partner with for a disposal program, use the same level of effort that's taken when choosing a vendor to manage your cloud security. Security requirements to look for in your IT asset disposal vendor should include onsite and offsite destruction, secure transportation, and options for wiping and/or degaussing. One standard to look for is the Transported Asset Protection Association (TAPA) certification. TAPA was created to prevent cargo theft and protect goods from being stolen during transit.

Other certifications to consider include Responsible Recycling (R2) and e-Stewards – the two most common standards in the industry. Recycling vendors with OHSAS 18001, ISO 9001 and 14001 certifications are considered companies that take environmental and employee health and safety seriously. These companies will be more likely to run efficient facilities with stronger regulations.

4. Lack of policy enforcement
The flip side of having a strong communications plan in place that conveys restrictions is defining repercussions for those not following policy. An employee ignoring BYOD rules can lead to devastating corporate damage. The consequences for violating policy need to be clearly defined for all employees. 

The key to success with the security of BYOD devices is to identify trends and jump ahead of the curve before disaster strikes. You will not regret taking the extra time to do the proper due diligence.

Attend the The Frictionless Enterprise: Built For Business webinar, learn to use the cloud for rapid functional trials and prototyping; fail fast (and recover even quicker); make mobility part of your productivity culture and your customer support; and reassess how you look at risk and the functions of IT. It happens June 18.

Steve Skurnac is the President of Sims Recycling Solutions, an electronics reuse and recycling company. View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/5/2014 | 3:55:40 PM
Re: Trading Needs Security
An accredited certificate tells customers that your organisation has defined and put in place effective information security processes, thus helping to create a trusting relationship. A certification helps an organisation focus on improving information security processes. Above all, certification ensures that information security is kept up to scratch, ensuring the organisation's  ability to operate. Read on to see what our consultancy customers and delegates on training courses have said about the need for, and benefits associated with, ISO27001 certification
User Rank: Apprentice
6/25/2014 | 12:02:27 AM
Trading Needs Security
BYOD is a big security problem and device trade-in and upgrades are a big problem. Our hospital put a BYOD policy in place to use Tigertext for HIPAA compliant text messaging, which allows for auto-delete of messages and remote wipe so when the devices are lost, stollen or traded-in/upgraded, then Admin can wipe the messaging and data from the phone. The BYOD policy outlines this clearly so the employee is not surprised by the feautres of this required app. This app allows us not only to stay HIPAA compliant, but also protect internal company data. Yes, BYOD is a big security issue, but there are real productivity gains to be had and IT departments are going to have to be creative to get these gains and maintain security. Here is an example of a BYOD policy similar to ours:
User Rank: Ninja
6/23/2014 | 5:09:54 PM
Re: Disposal
One way around it might be for larger companies to get in the business of buying their employees' outdated phones.

Hi Gary! Nice suggestion, I agree. May be this is the most suitable option if there is a wide non-serious attitude on privacy and security. Perhaps, the company would have to lose some amount on trading but that cost is justifiable in lieu of security achieved.
User Rank: Ninja
6/23/2014 | 5:03:13 PM
Important for employee

in a recent exposé that over half of the 30 used devices he purchased online for the analysis (including smartphones, tablets, laptops, desktops, and netbooks) still contained information, even when the sellers believed they had purged the data

Very interesting post, Steve. The issue is of very critical nature for both the organization and employee. As the lost or sold phone may have personal data critical for  employee's privacy and security as well. Establishing policies and procedures in this regard will be win-win for both the employer and employee. I think the policy can be most successful if employee's interest is highlighted.

User Rank: Ninja
6/19/2014 | 3:34:38 PM
What an intersting problem.

One way around it might be for larger companies to get in the business of buying their employees' outdated phones, zeroing out all the imformation in a thorough, professional manner, and then the employer could sell it. Perhaps companies will emerge to do this for smaller comanies for whom establishing this process would be impractical.

Or, perhaps a service could be established to clean out all information from the phones for a fee, and the device can be returned to the individual with no information at all on it, and the employee could then sell it on their own?
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll