I am sure I won't be the first person to tell you that the bring-your-own-device (BYOD) revolution in the workplace has thrown a curve ball to those responsible for safeguarding your company's data. Although the corporate finance groups are singing the praises of the trend, due to its inherent reduction in costs, it's not all rosy in the BYOD world.
Here's why: With so many of us bringing more and more smart devices inside our office environments and hooking them to our corporate networks, the potential for data leakage grows exponentially. Combine that with the current tablet revolution and the mobile/remote employee trends, and it adds up to a potentially dangerous data-leak train wreck.
In a study conducted by the University of Glasgow, 63 percent of used smart devices purchased through eBay, other online marketplaces, and in second-hand stores, still had data on them. This data included personal information as well as sensitive business information.
The study did not include tablet devices. I can only imagine the increase in sensitive data leaks when you include the road-warrior's best and newest smart device.
It's not like we haven't seen this scenario before. Think back five or so years ago. It was a different study but similar scenario. The study focused on hard disk drives (HDDs) and the leak of corporate information from discarded PCs and laptops that were found to have sensitive business data still on the drives. After a few high profile data leaks by some Fortune 500 companies, the electronic asset disposal (EAD) services industry took off. The EAD provider's key value proposition is in their process -- a solid chain of custody of no longer needed electronic assets that terminates with the verifiable destruction of sensitive data, as well as the smart recycling of the non-sensitive materials.
So why is this any different in the BYOD world? Don't those smart devices and tablets end up in the same place? The answer is that they sure do. The problem is there's no chain of custody in the BYOD world. Think about it. When the corporations owned your cellphone and your PC or laptop, they controlled its issue to you, how you used it, what software you put on it, and when and how it was turned in and destroyed. A solid internal tracking of electronic assets coupled with a solid electronic asset disposal solution provider meant that, for the most part, the corporate crown jewels were safe.
In the BYOD world, the corporation does not own the IT equipment. Personal smart devices are being hooked up to corporate IT environments. This mating of personal and professional equipment and data is happening everywhere (think Facebook and LinkedIn). Add in the app revolution, and your corporate data is being comingled with secure and non-secure access points to the Web, cloud, etc. Not to mention the fact that those devices metaphorically walk in and out of your office every day, and you have no control.
Unfortunately, there is no easy answer to this problem. I have seen it addressed via software solutions at the enterprise level (think Blancco or BlackBerry enterprise), at the device level (think solutions like Apple Find My Device, etc.), and at the human resources and legal levels with policies and procedures that prohibit users' use of corporate information. But the truth is, without a chain of custody model incorporated with these other solutions, once the corporate data is accessed or downloaded, it's already gone -- you just don't know it yet.
The reality is that it's going to take some time for the corporate world to catch up with what I like to call the "semi-private information revolution" like the cloud, Facebook, or social media. Until then, rely on your electronic asset disposal provider to help develop a strategy and process that is aligned with your corporate information sharing guidelines. Right now, your corporate data is only as safe as the process that you create.
Frank: interesting point that your personal device will have corporate information on it when you dispose of it. Seems like a no-brainer, but it caught my interest. I noticed that Arrow just acquired an EAD company that provides the kind of data-wiping services you mentioned. That has to be key in any EAD business--even better, if one distributor sells and then can reclaim the same device. But it helps to know that data-wiping is part of the whole EAD solution.
I totally agree with the article. Many of us busy people read company emails on phones. That's dangerous leak if the phone is lost.
Some recent articles report that quite a number of malware are from Android apps. These are like worms which keep on digging for your personal data. Watch out !
True Alxe, we use our phones to do all the work mainly rather than using it to make calls. Thats wherethe hackers come into play where they can insert small apps which can harm the data of your phone. Its our duty to use oit wisely on the sites or apps we know. Do not click on things which looks suspicious or which you do not know.
I like this article, addressed some of contemporary issues regarding security of mobile devices. How about IPv6 auto-configuration and IP renumbering in mobile devices? And more importantly malware/worm works unaware or without the knowledge of mobile users, a big problem. I think users have little or no power to effect the change unless you go for a more or bettter security featured mobile devices, i think.
@WB: I totally agree with the point, because people in a such way, have achieved some knowledge in how to manage security risks for their PC/Laptop, but for mobile devices, risks that are coming (and will come) represent a new horizon to explore and investigate, including for myself.
Matteo, I wish I could agree we understand the risks involved. I have two old PCs at home I want to throw out but must confess that I haven't thought much about how to secure the personal data on them. I have copied my hard drives to make sure I can still access the data but haven't spent time on making sure they don't get into the wrong hands. I guess, like many other people, I expect the reclamation centers to do this!
Of course, companies do a better job -- we hope. The reality is, though, that even a supposedly "wiped" hard drive can be salvaged and the data on it restored by IT experts determined to do so. It may cost a bundle but the technology exits.
I plan to open up those two PCs, take out the hard drives and crush them!
Well Bolaji, at the end, we could assume a new fascinating scenario is coming. Not to say I have a crystall ball, but I am feeling one of the most important business in the future will be about mobile data storage and in a such way mobile cloud is a good for hitting the target !
I've thought about what can enterprises do to use BYOD policies but to also have enough data protection. How about having specific "app stores" for those devices? I'm sure Apple is more than willing to create IBM iTunes Store with pre-paid apps that any employee can download for free... those apps should be pre-approved by the IT department.
Also have limits on the other types of apps that users can install.
Mr.Roques, you are outlining a very interesting point, especially for CIOs and IT Departments. BYOD is a key topic to address for them and it takes time for reaching the proper trade-off in security and in allowing own devices usage inside companies. Several providers are developing devoted software platforms for allowing devices' control, but once again, it is a critical matter because of privacy rules to accomplish.
it is nigh on impossible to keep a clear delineation between work and personal data. I am sorry I have no idea how to fix it except to say I hope that common sense prevails.
In my opinion this is a tricky problem which cannot be solved by legal framework, or common sense or by just wiping out the data.
You won't exactly know when your smart device becomes vulnerable to data sealing, physical stealing.
This problem has to be tackled technically.
A way to protect the sensitive official data on your smart device could be to have it sored in encrypted manner on your local storage all the time. To be able to read that data at any time from your local device you must be required to obtain the decryption key from your authority ( for every access) which will verify your credentials before issuing you the key.
This is similar to those one time passwords that the net banking systems issue to you for each on line transaction
@PD, yeah more technical orientation might be another strategy but dont you think mobile device users' behaviours and attitude could be another factor to help improving the situation. How many users would be ready and/or have the capability of going through such a high -level of encryption and decryption process on every single access? Though, corporate organization has the responsibility to enusure proactiveness of its access management team 24/7.
EBN Dialogue enables and encourages you to participate in live chats with notable leaders and luminaries. Not only editors and journalists, but the entire EBN community is able to comment and ask questions. Listed below are upcoming and archived chats.
Archived Dialogues
Thailand Stages a Comeback Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters.
Euro-Crisis: What It Means for High-Tech Firms Join EBN Editor in Chief Bolaji Ojo and Contributing Editor Jennifer Baljko on Thursday, July 12, at 10:00 a.m. EDT for a Live Chat on high-tech and Europe's economic difficulties.
Microsoft Surface: Potential Winners & Losers What are the implications for the electronics industry supply chain of Microsoft Corp.'s decision to launch its own tablet PC? Join industry veteran and EE Times' systems and OEM expert Rick Merritt on Tuesday, July 3, at 12:00 pm EDT for a Live Chat on this subject.
Join EBN contributor Jennifer Baljko on Thursday August 23, 2012, at 11:00 a.m. EST for a live chat on how electronic manufacturers in Thailand have shored up their supply chain to reduce the impact of future natural disasters.
Peter Drucker famously said "Trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window." Yet in the razor's-edge world of electronics—with a lean supply chain and just-in-time demands—the need to know the future is vital.
While no one really can accurately predict the future, we can take guidance from another Drucker saying which is the best way to predict the future is to create it.
You've heard the saying "the No. 1 supply chain risk is your people." That hasn't always been the case. But today's complex global supply chain requires a new type of multitalented employee. It's one who understands, finance, marketing, economics, is savvy with technology, graceful with relationships and can think analytically.
Where are these people? Are universities properly preparing the next generation supply chain professionals? How do train your existing workforce for these new, demanding positions?
Brian Fuller, editor-in-chief of EBN, will lead a 60-minute Avnet Velocity panel discussion that will ask and answer these and other questions swirling around today's supply-chain talent challenges.
To save this item to your list of favorite EBN content so you can find it later in your Profile page, click the "Save It" button next to the item.
If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This