When personal smartphone trade-ins threaten corporate security

Just when you thought you had every aspect of security covered, along comes another to cause headaches and sleepless nights, often as an unexpected consequence of helping employees work remotely and more efficiently.

But it’s not just phones. Any device that can access, download and store corporate data puts it at risk of unauthorised access once the device is no longer controlled by the organisation or its employee.

The problem can be as simple as an employee who downloads work emails with attachments to their personal phone, decides to upgrade for something more exciting, faster, larger, quicker etc.

Of course, thanks to your engaging ‘bring your own device’ (BYOD) policy, this phone used to connect to your corporate network and handle corporate data, some of which was sensitive or worse, belonged to a client.

Your employee might not exchange their old phone to upgrade but sell it on the internet to all those companies happy to pay for old phones, ready to ship abroad where old phones can demand higher values – and the potential to retrieve your data goes with it.

If your conscientious employee is aware their phone, tablet or laptop contains client files, sensitive corporate data or network passwords and log-in details, they will more than likely attempt to delete everything. But it might not be as easy as they think.

Any device can undergo a factory re-set or a drive can be formatted to remove data, but how confident are you that every employee will recognise the risk and more importantly know how to do it. And we have witnessed the flaws with phone reset processes when in 2015 security experts retrieved sensitive data from Android phones after they underwent a reset.

Despite the more secure encryption used on some phones, manually deleting is still a favoured method to remove data off phones, but this usually only deletes the signposts to the information and not the data itself.

The simplest way will typically involve encrypting all the data on the phone, then at least if any is found following the factory reset process, it will be scrambled and of no use to whoever it is that finds it.

The most sensible and secure approach is to introduce a requests into the organisation’s BYOD policy for the firm to take responsibility for removing data from the employee’s phone, before they trade-in, retire their phone or leave the organisation.

If the request is couched in terms of shared responsibility to keep the organisation safe from attack, there should be little resistance to the concept. In truth, most people would welcome the support from experts to delete all data safely, even their own ‘personal’ information and pictures!

Like what you read?