Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Poor disposal of mobile devices creates massive security risks

Mark Majeske, President, Global Reverse Logistics, Arrow Electronics | Oct. 27, 2015
Proper disposal of discarded mobile devices should be practised to ensure eradication of information theft on the one hand, and undesirable environmental pollution, on the other.

This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.

Today, mobile users are overwhelmed with the increasing number of new mobile apps, and smartphone manufacturers are experiencing massive market growth. According to IT research firm Gartner, worldwide smartphone sales reached an astounding 329 million units in the second quarter of 2015 — a 13.5 percent increase from the previous year. Yet, with all the purchasing comes the disposing, and neither the smartphone industry, nor society as a whole, is well prepared to handle the large amount of no longer wanted and obsolete mobile products. Without proper disposal mechanisms, not only can serious environmental issues arise, but also massive data security threats.

One of the threats is due to the BYOD (Bring Your Own Device) trend, which means employees use their own personal mobile devices to access and store corporate information. "Road warrior" executives rely heavily on their mobile devices to access company email and documents. In this scenario they may download and save confidential information like corporate intellectual property, investment and acquisition plans, and other sensitive data to their mobile devices.

This can be exacerbated by irresponsible behaviour: According to Gartner, a quarter of business users admitted to having had a security issue with their private device. Moreover, a study conducted by Osterman Research revealed that 15 percent of employees believe they have "none to minimal" responsibility to protect corporate data stored on their personal devices.

Enterprises may pay close attention to purchasing new IT assets and managing them, but they may not employ the same care when it comes to retiring that same equipment, especially when the devices are owned by their employees.

Many users trade in their smartphones when purchasing new ones and many may not know to delete sensitive information hidden in the phones. Even if they erase all their personal information, some data can still be recovered by using software tools, creating significant privacy and security risks for the enterprise. In fact, the Ponemon Institute estimates the average cost of a data breach is US$3.5 million due to fines, remediation, expenses, reduced productivity, and lost customers.

Enterprises need to have a thorough understanding on what they need to do to properly retire their devices. For example, the processes needed to erase mobile devices are substantially different from those for PCs. In the U.S., the National Institute for Standards and Technology (NIST) has composed a special publication, NIST 800-124 Guidelines for Managing the Security of Mobile Devices in the Enterprise, to advise organisations on the adoption of mobile device security measures.

In the latest revision, NIST points out that "remote wipe is a fundamentally unreliable security control; for example, an attacker could access information on a device before it is wiped, or an attacker could power off a device to prevent it from receiving a remote wipe signal." Enterprises should consider it to be "one layer of a multilayered approach to protection."

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.