Decommissioning BYOD Mobile Devices
How Often do People Replace Their Personal Mobile Devices?
For Americans and their phones, it’s just under every two years. A 2011 Recon Analytics study [647KB PDF] says that people in the United States replace their phones most often, with a mean phone replacement cycle in the United States of 21.7 months. A 2010 J.D. Power study reports similar numbers for American phone replacement: 17.5 months on the low side, to 27.8 months on the high end. According to the Recon Analytics study, on the other end of the scale, the people who tend to hang onto their phones the longest are in Brazil (80.8 months, or 6.7 years) and India (93.6 months, or 7.8 years).
The Recon Analytics study says that the Brits hang onto their phones a little longer than the Americans: an average of 22.4 months. The Canadians have even longer relationships with their phones — typically 33 months, which is just shy of the length of a mobile contract (Canada still has three-year mobile contracts as the standard, even though Canadian customers hate them).
What Do People Do With Their Old Devices?
A recent article in Byte points to a survey of 2,243 workers in which MDM provider Fiberlink and Harris Interactive asked them what they did with their old mobile device when they acquired a new one. Their responses:
- 58% kept their old device but didn’t use it,
- 16% said they had their old device “professionally wiped”,
- 13% turned their old device over to their mobile service provider,
- 11% donated, gave away or threw their old device in the trash,
- and 5% had their old device “securely destroyed”.
These numbers indicate that nearly 70% of the respondents probably didn’t take measures to remove sensitive data on their old device, either via wiping or securely destroying the device.
Without a clearly-defined policy for what should be done with BYOD devices as employees replace them, the risk to your organization will vary. If the device is given to a family member (especially as a hand-me-down to a son or daughter), the risk is low. However, if they return the device to their carrier, donate it or sell it via eBay or Craigslist, or toss it in the trash or electronic recycling — and they haven’t wiped the device — it opens the door to exposing both your organization’s information as well as your employee’s personal data.
What Should Your Organization Do?
If your organization has a BYOD policy, it’s up to you to define a “decommission protocol” or “retirement plan” for BYOD devices and to communicate it clearly to your employees. Given the two- to three-year lifespan of most phones in North America, it’s easy for an employee to forget the procedure for retiring a device; it’ll be up to you to come up with some kind of process that defines what employees should do as they move to a new BYOD device.
Fiberlink recommends the four-step process described below, and we folks at CTS think it’s a good one. I’ve added some additional commentary and suggestions…
Step 1: Notify the IT Department
BYOD programs work only when the IT department know which devices employees are bringing in. Employees participating in a BYOD program should be told that when they buy a new device that they want to use at work, they should notify the IT department. Ideally, your IT department should have some kind of web page where employees can fill out a form indicating that they’re switching to a new device; having such a page helps to ensure that the IT department gets all the information they need in a consistent format.
Step 2: Transfer Corporate Materials to the Employee’s New Device
Once the IT department has been notified, they should then quickly transfer the required corporate materials — applications, data, settings — to the employee’s new device. Ideally, this should be done using your organization’s MDM solution, which will often allow the IT department to perform the operation remotely “over the air”.
If your organization doesn’t have an MDM solution, you should:
- First, hang your head in shame. Having a BYOD policy without MDM in place is asking for trouble.
- Have the IT department assist the employee transfer the necessary applications, data and settings to the new device.
- Come talk to us here at CTS; we specialize in helping organizations get their mobile act together!
Step 3: Extract Personal Data from Your Old Device
With the corporate material transferred to the new device, it’s time to take care of the old one. The first thing to do is to save and remove personal files and data from the old device. For iOS devices, iTunes and iCloud can be used to extract and back up information, Android users can use various file transfer tools, and most mobile operating systems can make use of cloud storage systems such as Dropbox or Google Drive.
D0n’t forget that many non-iOS devices make use of SD cards in addition to built-in memory! If the employee wants to continue using the SD card, make sure s/he removes it from the old device and places it in the new one.
Step 4: Erase All Remaining Personal and Corpoate Data from Your Old Device
After the employee has backed up his or her personal data, it’s time for the final step: wiping the device clean. There are a couple of preferred ways to do so:
- The “factory reset” function: Most devices have some kind of command to reset then to the completely-erased, pristine state that they were in when they first came out of the box. This is an action that the employee can initiate himself or herself.
- Remote wipe via MDM: MDM solutions typically have the ability to perform a remote wipe on a device under management, essentially performing the same operation as the “factory reset”. This is an action that IT initiates.
Once again, remember that many non-iOS devices make use of SD cards in addition to built-in memory! If the employee doesn’t want to continue using the SD card, additional action may be needed to ensure that it is wiped clean along with the device’s on-board memory.