I am sure I won't be the first person to tell you that the bring-your-own-device (BYOD) revolution in the workplace has thrown a curve ball to those responsible for safeguarding your company's data. Although the corporate finance groups are singing the praises of the trend, due to its inherent reduction in costs, it's not all rosy in the BYOD world.
Here's why: With so many of us bringing more and more smart devices inside our office environments and hooking them to our corporate networks, the potential for data leakage grows exponentially. Combine that with the current tablet revolution and the mobile/remote employee trends, and it adds up to a potentially dangerous data-leak train wreck.
In a study conducted by the University of Glasgow, 63 percent of used smart devices purchased through eBay, other online marketplaces, and in second-hand stores, still had data on them. This data included personal information as well as sensitive business information. The study did not include tablet devices. I can only imagine the increase in sensitive data leaks when you include the road-warrior's best and newest smart device.
It's not like we haven't seen this scenario before. Think back five or so years ago. It was a different study but similar scenario. The study focused on hard disk drives (HDDs) and the leak of corporate information from discarded PCs and laptops that were found to have sensitive business data still on the drives. After a few high profile data leaks by some Fortune 500 companies, the electronic asset disposal (EAD) services industry took off. The EAD provider's key value proposition is in their process — a solid chain of custody of no longer needed electronic assets that terminates with the verifiable destruction of sensitive data, as well as the smart recycling of the non-sensitive materials.
So why is this any different in the BYOD world? Don't those smart devices and tablets end up in the same place? The answer is that they sure do. The problem is there's no chain of custody in the BYOD world. Think about it. When the corporations owned your cellphone and your PC or laptop, they controlled its issue to you, how you used it, what software you put on it, and when and how it was turned in and destroyed. A solid internal tracking of electronic assets coupled with a solid electronic asset disposal solution provider meant that, for the most part, the corporate crown jewels were safe.
In the BYOD world, the corporation does not own the IT equipment. Personal smart devices are being hooked up to corporate IT environments. This mating of personal and professional equipment and data is happening everywhere (think Facebook and LinkedIn). Add in the app revolution, and your corporate data is being comingled with secure and non-secure access points to the Web, cloud, etc. Not to mention the fact that those devices metaphorically walk in and out of your office every day, and you have no control.
Unfortunately, there is no easy answer to this problem. I have seen it addressed via software solutions at the enterprise level (think Blancco or BlackBerry enterprise), at the device level (think solutions like Apple Find My Device, etc.), and at the human resources and legal levels with policies and procedures that prohibit users' use of corporate information. But the truth is, without a chain of custody model incorporated with these other solutions, once the corporate data is accessed or downloaded, it's already gone — you just don't know it yet.
The reality is that it's going to take some time for the corporate world to catch up with what I like to call the “semi-private information revolution” like the cloud, Facebook, or social media. Until then, rely on your electronic asset disposal provider to help develop a strategy and process that is aligned with your corporate information sharing guidelines. Right now, your corporate data is only as safe as the process that you create.