Why I Should Care Where My Company's Mobile Devices Go.
Managing end of life technology is somewhat of an afterthought. Why? To run a company, millions of dollars are spent on the right technology. From mobile devices to mainframes and everything in between, a lot of thought, effort, time and money is put into deciding and implementing these solutions. For some reason, however, there is a significantly smaller effort in deciding what to do once it is time to dispose of the IT equipment. Even more puzzling is when it is time to upgrade or recycle assets such as mobile devices and tablets, it is basically an afterthought. The importance of disposing of all IT equipment properly can NOT be understated. When equipment is in your IT environment, the control belongs to you. Once your equipment is handed off at the end of its life, (regardless of who is liable at that point), you need to understand what is happening to it, and you need to truly trust the company that is doing it for you. So, when it comes time to dispose of your equipment, what do you and your company do? How are you sure you’ve properly vetted a disposal company? What do you look for? What questions do you ask? How do you know they do what they say they do? There are so many factors in considering a partner. It’s not so much the average cost of a data breach being $4 million and climbing, but it’s your company’s brand. The name and reputation is what is most important and what must be protected along with the data. As I stated earlier, mobile devices and tablets are an afterthought in both the disposition as well as the end of life disposition. Let’s dive into one of the main reasons this is.
There is not much security risk with mobile devices or tablets.
That is a very dangerous thought. Most companies are under the incorrect assumption that managing a mobile environment, i.e. eliminating or reducing risk, can be done by utilizing a Mobile Device Management (MDM) system like MaaS 360, Airwatch and MobileIron. While an MDM is a necessity, and it certainly helps, it still does not mitigate risk at the end of life of the device. Not only are there still risks involved, but using an MDM is not compliant with NIST guidelines – specifically NIST 800.88 Rev. 1
“Sanitization performed via a remote wipe should be treated as a Clear operation, and it is not possible to verify the sanitization results.”
i.e. if you wipe remotely, it’s not compliant with the guidelines. Period. So, anyone reading this that is utilizing an MDM in their environment, great! It is not, however, in compliance with NIST guidelines for data sanitization. I highly suggest you still use the MDM, but you must either have someone verify each device has been wiped, or send to a 3rd party who will do it for you. If you are also concerned with the HIPAA guidelines, see the following:
"the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use."https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html
Consider the potential data breaches, non-compliance of NIST and/or HIPAA guidelines, and the risk of your brand. Basically, what is the cost of doing nothing? Are you willing to take that risk?
In speaking with many of my customers, there are a few issues surrounding mobile devices and disposal of them. Most people would agree that a cell phone and a tablet is like a small laptop. These devices carry the same data risk, yet they are not considered by many as a high risk to organization’s data security. I doubt you’d just toss your laptop into a drawer and be okay with it staying there. Also, many companies have different departments handling mobile devices. I see people with telecom in their title handle cell phones, and all other IT assets, including laptops/desktops are handled by the IT department. I see IT departments doing everything, and I see companies that have a Bring Your Own Device policy (a disaster waiting to happen). Some companies have now even outsourced the disposition of mobile devices to a Technology Expense Management (TEM) company to handle the full life cycle of mobile devices. But no matter who takes care of it, there still seems to be a distinct lack of interest as to how mobile phones are disposed of or sold.
In 2014, the mobile “Tipping Point” was reached i.e. more people consume data via their mobile devices vs. desktops/laptops. That is an amazing statistic, but why don’t companies look at mobile devices the same way they look at laptops or desktops? I can tell you from experience that most companies do not. Which brings me full circle to my point – all mobile devices and tablets should be viewed as any other piece of IT equipment. In fact, they are more vulnerable, easier to hack into, and easier to succumb to theft than other IT equipment. When it comes time to properly dispose of these devices, you need to know the process and not assume it is being done right, or that the vendor you are contracting is performing the disposal of the assets properly. Recently, a Chicago based company was caught in a multi-million-dollar scheme to defraud customers. Saying they disposed of assets properly when they clearly did not. It happens all the time, so be sure to review the policies of your IT disposal methods. Ensure that the vendor you choose has the proper certifications (ex. ISO 14001 and R2 among others), are constantly improving their processes, offers tours of their facilities, can discuss in detail their processes and security and can show you the process, and that they’re a trusted company (do you really have an office in Chicago?) that has been doing this more than a few months. Ask questions and don't be shy. Most good vendors are only happy to discuss their processes if not show them off.
Lastly, do not necessarily use a vendor that offers you the highest bid. While getting the best bang for your buck is certainly important, there are many deceptive practices out there that many companies fall for. For example, I’ve seen the practice of sending out a price sheet or a bid for equipment that is exceptionally high. The customer then agrees, and sends the equipment in without considering where it is going, how the data is being wiped, or where recycled equipment will end up. The money received is almost never the bid price quoted for many “reasons”. By the time the check is cut it’s too late as ownership of assets probably transferred upon receipt. The equipment might have been “damaged” or not in the same condition the customer thought they’d be rated at. The fact is they may not get what they thought they would. I've also seen so-called charities who take your phones to "donate" to a charitable cause aka battered women or wounded soldiers. Unfortunately not many people know these companies typically sell the devices, then use a small amount of the proceeds to purchase junky phones. These phones then get donated to the charity, and they keep the rest of the funds. These are just a few of the things going on out there.
Bottom line, be sure to treat your mobile devices and tablets like any other IT asset – spend as much time considering how you dispose of the assets as you do purchasing them in the first place. Ensure that the company you use is compliant, certified, and trustworthy. Ask how long they’ve been in business and ask to tour their facility. Understand their process and ask a lot of questions. Finally, meet with your potential representative and discuss how you would work together to ensure that your equipment is taken care of when it is no longer of any use to your company. A little due diligence will ensure your company and your customers are protected.
 Benchmark research sponsored by IBM Independently conducted by Ponemon Institute LLC June 2016
Photo from unsplash.com