As the holiday season approaches (OK, it may already be here), workers in your company will likely be acquiring new smartphones. In fact, a recent survey by Blancco Technology Group says a whopping 68 percent of mobile users plan to purchase a new smartphone for the holidays.
That number seems high to me, but come January, you can be pretty sure there will be a lot of shiny new iPhones, Galaxies and Pixels connecting to your corporate network. But that’s not what this post is about. No, this post is about what happens to all those no-longer-shiny BYOD smartphones that used to connect to your corporate network and work with your corporate data, but have now been replaced with something new.
+ Also on Network World: How to implement an effective BYOD policy +
The Blancco report, called Holiday Shopping: When Smartphone Upgrades Go Wrong in a BYOD Workplace, surveyed more than 1,000 mobile device owners in nine countries. Tellingly, it found that 32 percent of mobile users were willing trade in their old phones to help finance a new device, while another 23 percent would be happy sell their old phones outright. And while many of those sales will be to reputable stores and services like Amazon or Gazelle, others would be to individuals contacted via eBay, Craigslist or even Facebook.
“Our study’s findings illustrate just how dangerous it can be if personal and corporate data are not properly erased when mobile users ditch their old smartphones for new ones this holiday season,” said Richard Stiennon, chief strategy officer of Blancco Technology Group in a statement.
Despite their owners’ good-faith efforts to remove personal data, he said, many of those old phones could still have “confidential and oftentimes compromising information at risk of being leaked.”
The numbers back up that warning. Almost two-thirds (66 percent) of mobile users surveyed said they stored at least some corporate information on their devices, and 42 percent said their company doesn’t know what corporate data was on their devices.
What kind of data are we talking about? Again according to the survey, the corporate data people are most worried about includes customer records, patent filings and system login credentials.
So, is this really a security risk? After all, only a clueless idiot wouldn’t wipe their phone before selling or trading it in, right?
Flaws with phone reset processes
Well, it turns out things may be a bit more complicated than that. The Blancco survey notes that despite widely reported flaws in the Android factory reset process due to software encryption, almost half of Android owners (46 percent) plan to use this method to “sanitize” their devices.
While iPhones employ stronger, hardware-based encryption, they are still vulnerable when users merely delete data manually: according to the report “manual deletion only removes pointers to the data, not the data itself.” And 30 percent of iPhone users said they planned to use manual processes to wipe their phones before selling them.
Given this level of carelessness, there may be a surprisingly simple solution. The Blancco survey reveals that almost all (95 percent) users would be at least somewhat likely to let their employers’ help permanently erase data from their phones before reselling or trading them in. So, I don’t know, maybe it would be a good idea for security-conscious companies to consider offering this service to their employees.