BYOD – Selling the Keys to the Corporate Kingdom?
The overwhelming majority of corporations allow users to connect their personal smart phones to access work email and apps, called a Bring Your Own Device or BYOD policy. As I was publishing the results of my 2014 Mobile Discovery Survey, I ran across a rather inflammatory blog by security software company Avast! that detailed all the personal information retrieved from 20 Android phones that users had sold on eBay. I have heard stories from several security specialists concerning overseas hackers who set up web sites to troll for used phones from users with email addresses that match to company domains. I have never been able to corroborate those stories with any published stories or studies, but I long since updated client termination and BYOD policies and practices to make sure that outdated phones were wiped properly. The crux of Avast!’s bit of fear mongering is that a simple factory reset or even a remote ‘wipe’ will NOT actually delete or overwrite data on an Android OS phone. Ars Technica has a nice plain language explanation though some of their information was a bit out of date. The key point is that without encrypting the phones, the information is still there and can be recovered with forensic or even simple commercial software. Given that 21.4% of survey respondents (N=28) rely on users to manage mobile device security and access, this does raise a serious concern for corporations.