BYOD Can Lead to Data Train Wreck

I am sure I won't be the first person to tell you that the bring-your-own-device (BYOD) revolution in the workplace has thrown a curve ball to those responsible for safeguarding your company's data. Although the corporate finance groups are singing the praises of the trend, due to its inherent reduction in costs, it's not all rosy in the BYOD world.

Here's why: With so many of us bringing more and more smart devices inside our office environments and hooking them to our corporate networks, the potential for data leakage grows exponentially. Combine that with the current tablet revolution and the mobile/remote employee trends, and it adds up to a potentially dangerous data-leak train wreck.

In a study conducted by the University of Glasgow, 63 percent of used smart devices purchased through eBay, other online marketplaces, and in second-hand stores, still had data on them. This data included personal information as well as sensitive business information. The study did not include tablet devices. I can only imagine the increase in sensitive data leaks when you include the road-warrior's best and newest smart device.

It's not like we haven't seen this scenario before. Think back five or so years ago. It was a different study but similar scenario. The study focused on hard disk drives (HDDs) and the leak of corporate information from discarded PCs and laptops that were found to have sensitive business data still on the drives. After a few high profile data leaks by some Fortune 500 companies, the electronic asset disposal (EAD) services industry took off. The EAD provider's key value proposition is in their process — a solid chain of custody of no longer needed electronic assets that terminates with the verifiable destruction of sensitive data, as well as the smart recycling of the non-sensitive materials.

So why is this any different in the BYOD world? Don't those smart devices and tablets end up in the same place? The answer is that they sure do. The problem is there's no chain of custody in the BYOD world. Think about it. When the corporations owned your cellphone and your PC or laptop, they controlled its issue to you, how you used it, what software you put on it, and when and how it was turned in and destroyed. A solid internal tracking of electronic assets coupled with a solid electronic asset disposal solution provider meant that, for the most part, the corporate crown jewels were safe.

In the BYOD world, the corporation does not own the IT equipment. Personal smart devices are being hooked up to corporate IT environments. This mating of personal and professional equipment and data is happening everywhere (think Facebook and LinkedIn). Add in the app revolution, and your corporate data is being comingled with secure and non-secure access points to the Web, cloud, etc. Not to mention the fact that those devices metaphorically walk in and out of your office every day, and you have no control.

Unfortunately, there is no easy answer to this problem. I have seen it addressed via software solutions at the enterprise level (think Blancco or BlackBerry enterprise), at the device level (think solutions like Apple Find My Device, etc.), and at the human resources and legal levels with policies and procedures that prohibit users' use of corporate information. But the truth is, without a chain of custody model incorporated with these other solutions, once the corporate data is accessed or downloaded, it's already gone — you just don't know it yet.

The reality is that it's going to take some time for the corporate world to catch up with what I like to call the “semi-private information revolution” like the cloud, Facebook, or social media. Until then, rely on your electronic asset disposal provider to help develop a strategy and process that is aligned with your corporate information sharing guidelines. Right now, your corporate data is only as safe as the process that you create.

13 comments on “BYOD Can Lead to Data Train Wreck

  1. Barbara Jorgensen
    September 5, 2012

    Frank: interesting point that your personal device will have corporate information on it when you dispose of it. Seems like a no-brainer, but it caught my interest.  I noticed that Arrow just acquired an EAD  company that provides the kind of data-wiping services you mentioned. That has to be key in any EAD business–even better, if one distributor sells and then can reclaim the same device. But it  helps to know that data-wiping is part of the whole EAD solution.

  2. t.alex
    September 5, 2012

    I totally agree with the article. Many of us busy people read company emails on phones. That's dangerous leak if the phone is lost. Some recent articles report that quite a number of malware are from Android apps. These are like worms which keep on digging for your personal data. Watch out !

  3. hash.era
    September 5, 2012

    True Alxe, we use our phones to do all the work mainly rather than using it to make calls. Thats wherethe hackers come into play where they can insert small apps which can harm the data of your phone. Its our duty to use oit wisely on the sites or apps we know. Do not click on things which looks suspicious or which you do not know.

  4. t.alex
    September 5, 2012

    And for messaging, we tend to use those like whatsapp all the time. In a way all of our important conversations are already stored on their server.

  5. Wale Bakare
    September 5, 2012

    I like this article, addressed some of contemporary issues regarding security of mobile devices. How about IPv6 auto-configuration and IP renumbering in mobile devices? And more importantly malware/worm works unaware or without the knowledge of mobile users, a big problem. I think users have little or no power to effect the change unless you go for a more or bettter security featured mobile devices, i think.

    September 6, 2012

    With so many:

    – personal gadgets being used for work

    – people working flexibly from home offices

    – people in 24/7 contact for work support

    it is nigh on impossible to keep a clear delineation between work and personal data.    I am sorry I have no idea how to fix it except to say I hope that common sense prevails.

  7. mfbertozzi
    September 6, 2012

    @WB: I totally agree with the point, because people in a such way, have achieved some knowledge in how to manage security risks for their PC/Laptop, but for mobile devices, risks that are coming (and will come) represent a new horizon to explore and investigate, including for myself.

  8. prabhakar_deosthali
    September 6, 2012

    In my opinion this is a tricky problem which cannot be solved by legal framework, or common sense or by just wiping out the data.

    You won't exactly know when your smart device becomes vulnerable to data sealing, physical stealing.

    This problem has to be tackled technically.

    A way to protect the sensitive official data on your smart device could be to have it sored in encrypted manner on your local storage all the time. To be able to read that data at any time  from your local device you must be required to obtain the decryption key from your authority ( for every access) which will verify your credentials before issuing you the key.


    This is similar to those one time passwords that the net banking systems issue to you for each on line transaction



  9. bolaji ojo
    September 6, 2012

    Matteo, I wish I could agree we understand the risks involved. I have two old PCs at home I want to throw out but must confess that I haven't thought much about how to secure the personal data on them. I have copied my hard drives to make sure I can still access the data but haven't spent time on making sure they don't get into the wrong hands. I guess, like many other people, I expect the reclamation centers to do this!

    Of course, companies do a better job — we hope. The reality is, though, that even a supposedly “wiped” hard drive can be salvaged and the data on it restored by IT experts determined to do so. It may cost a bundle but the technology exits.

    I plan to open up those two PCs, take out the hard drives and crush them!

  10. Wale Bakare
    September 6, 2012

    @PD, yeah more technical orientation might be another strategy but dont you think mobile device users' behaviours and attitude could be another factor to help improving the situation. How many users would be ready and/or have the capability of going through such a high -level of encryption and decryption process on every single access? Though, corporate organization has the responsibility to enusure proactiveness of its access management team 24/7.

  11. mfbertozzi
    September 6, 2012

    Well Bolaji, at the end, we could assume a new fascinating scenario is coming. Not to say I have a crystall ball, but I am feeling one of the most important business in the future will be about mobile data storage and in a such way mobile cloud is a good for hitting the target !

  12. Mr. Roques
    September 21, 2012

    I've thought about what can enterprises do to use BYOD policies but to also have enough data protection. How about having specific “app stores” for those devices? I'm sure Apple is more than willing to create IBM iTunes Store with pre-paid apps that any employee can download for free… those apps should be pre-approved by the IT department.

    Also have limits on the other types of apps that users can install. 

    Its a BYOD policy but with some limits.

  13. mfbertozzi
    September 22, 2012

    Mr.Roques, you are outlining a very interesting point, especially for CIOs and IT Departments. BYOD is a key topic to address for them and it takes time for reaching the proper trade-off in security and in allowing own devices usage inside companies. Several providers are developing devoted software platforms for allowing devices' control, but once again, it is a critical matter because of privacy rules to accomplish.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.