Richard Stiennon, chief strategy officer, Blancco Technology Group
Richard Stiennon, chief strategy officer, Blancco Technology Group

With Black Friday and Cyber Monday just past, and the Christmas shopping season in full swing; we're well into the busiest retail sales period of the year. In fact, according to the National Retail Federation's 2016 forecast, we'll see a record $655.8bn spent in November and December alone.

Computers, smartphones and tablets will be responsible for much of that expenditure and many employees will definitely have their hearts set on a shiny new device. However, what's less certain is what they will do with the old ones they've chosen to leave behind. It's doubtful that the need to permanently and verifiably erase any sensitive personal or corporate data will be high on their list of priorities. Even if it is, then it's far from guaranteed that they'll know the correct ways of erasing data in the first place.

To illustrate why this is problematic, we recently conducted a holiday research study to determine if mobile users will purchase new smartphones this holiday season and what they'll do to wipe their data before ditching their old phones for newer, shinier ones. According to our study, a combined 45 percent of mobile users planning to buy a new smartphone this holiday season said they'll either trade it in for an upgrade or resell it on Amazon, eBay, Best Buy or other retailers.

On top of this, our recent data recovery analysis of used hard disk and solid state drives purchased on eBay and Craigslist provided even more context for how dangerous it is when data isn't properly erased before mobile devices are traded in/resold. In fact, 67 percent of the used drives contained personally identifiable information and 11 percent held sensitive corporate data, including company emails, CRM records and spreadsheets containing sales projections and product inventories. That's certainly not the type of information that any company or individual wants to see falling into the wrong hands.

Levels of awareness about reliable methods of data removal are relatively low and it can be hard for your everyday user to know where to go to find accurate information and what data eraser tools to use when it's time to wipe the data. For this reason, the majority of users still do no more than perform a factory reset before disposing of their old technology despite it having been proven time and again to be ineffective. But a factory reset only removes the pointers to the data, leaving the information intact and easily recoverable with freely available tools. To use a simple analogy, it's the equivalent of deleting a library's referencing system but leaving all the books lying on the shelves.

There's also no guarantee that the retailers, network operators and manufacturers who offer trade-in schemes will implement secure data erasure on the consumer's behalf. Most don't and the ones that do aren't necessarily the ones you would think. For example, in the UK H&T Pawnbrokers has committed to running a full diagnostics check and permanently erasing data from every device it purchases and ultimately resells. It even provides the original owner with a tamper-proof certificate that this has taken place. That is to their credit and is head and shoulders above the commitment made by countless other household names.  

Ultimately, it's the responsibility of the individual to act responsibly and take the appropriate actions. However, given the high likelihood that these devices will have been used at some point to access and store sensitive corporate data, mitigating this threat is something IT and security teams should be taking an active interest in. Rather than take an authoritarian approach and dictate what staff can and can't do with their personal mobile devices, companies will see greater results and collaboration from their employees if they proactively raise awareness of the issue, provide educational tips and tools, and even offer to erase employees' mobile devices for them (with secure data eraser software). It's certainly something most employees would be open to. As our holiday study indicates, an overwhelming 95 percent of users would be likely to some degree to accept their employer's help with permanently erasing their data before reselling or trading in their old smartphones.

The life of electronic devices beyond the original owner is one of the more invisible dangers associated with BYOD in the workplace. The IT & Security departments know it's an issue, but the majority of organisations haven't formally acknowledged its presence. It's time to challenge the status quo in this regard. Unless it's raised as a security issue to be addressed, then it won't receive sufficient buy-in from the C-suite.

A visit from the ghosts of data past could be just around the corner for many people this holiday season. And for those who have used their device for work purposes that could invite serious repercussions for the organisation as a whole. Asking the right questions and using the right tools is the first step in preventing data from being accessed and potentially breached.

 Contributed by Richard Stiennon, chief strategy officer, Blancco Technology Group