Time for an upgrade? With the rapid advance of computer and internet technology, many individuals and companies replace smartphones or tablets with newer models on a regular basis. But upgrading is always accompanied by certain complications. For example, what happens to the sensitive data on your old mobile device when you dispose of it?
This is especially important when mobile devices contain internal corporate data, potentially undermining a company’s normal security controls. A smartphone or tablet may be used to acquire access to saved passwords, sensitive emails, and proprietary information about products, clients, or even advanced research and development.
Depending on how your company puts mobile devices to use, unauthorized access to the data contained on a smartphone or tablet can be as harmful as a more traditional data breach to a company’s computer system. Risking company data can be extremely damaging, as information is often the most valuable asset a business owns.
It’s essential to take precautions to remove company data from mobile devices prior to discarding or disposing of them. With this in mind, here is a brief overview of some best practices for data erasure and device security.
Best Practices for Data Erasure
First, back up any content that you want to keep on a secure hard drive or cloud storage account. Next, log out of all accounts, including social media, bank accounts and any other account info you have saved on the device. Then you should erase all content and settings on your phone.
But merely deleting data from your mobile device is not a sufficient measure to completely prevent unauthorized persons from accessing to information stored in the device. If anyone came into possession of your discarded device, he or she could employ basic data-recovery software to find sensitive data that you thought you deleted.
If you want to be sure that both company and personal data cannot be recovered, you must take some extra steps:
Remove any memory cards or SIM cards that may be components of your phone or tablet: Most modern smartphones come with an easy-to-remove SIM card, and some have space for additional memory cards. If you are unsure whether your device has a memory or SIM card, look up the device model number online. You should be able to find out about the device’s components, and remove any memory or SIM cards that could potentially contain sensitive information.
You have three different options for what to do with these memory cards and SIM cards once you remove them from your device:
- Reuse the card in a new device.
- Store the card in a safe and secure place for future use.
- Destroy the card and dispose of its remains in a certified e-waste facility so that no one can obtain the card’s data.
Encrypt your data and secure your device deletion preferences: The main tool at your disposal to ensure that company data is secure is encryption. But there are different ways to encrypt depending on whether you use an Apple or Android device.
For Apple Devices:
iOS devices including iPhones and iPads are automatically encrypted if you have a passcode or Touch ID (screen lock) enabled. The passcode generates an encryption key, and the passcode and encryption key are securely deleted when you factory-reset your device. Any data that’s left behind after reset should be securely scrambled and inaccessible to the vast majority of data-recovery software.
Here’s how to make sure your iPhone data is securely deleted:
- First, always sign out of iCloud before you erase your device
- Select Settings > iCloud
- Scroll down and tap Sign Out
- In iOS 7 or earlier, tap Delete Account. Also, double check that you’ve signed out of the iTunes & App Store
- Tap Settings > iTunes & App Store > Apple ID > Sign Out. If you paired an Apple Watch with your iPhone, unpair your Apple Watch
- Next, if you don’t already have a passcode set up on your device, you can create one by tapping Settings > Passcode or Touch ID and Passcode. Once you do that, encryption will be enabled
- Finally, select Settings > General > Reset > Erase All Content and Settings
- Go back to Settings and tap General > Reset > Erase All Content and Settings. If you turned on Find My iPhone, you might need to enter your Apple ID and password
After you click the confirmation that you want to remove/erase all data from the device, your device will be factory-reset with everything removed. All data is scrambled and encrypted and nearly impossible to recover.
For Android devices:
Take the following steps to secure your data and wipe your Android device clean:
- First, encrypt the device. This will scramble the data on the device and if the wipe doesn’t delete everything, an encryption key be will required to unscramble any data left behind.
- To encrypt the device, select Settings > Security > Encrypt Phone. If you can’t find this option, do a quick online search for your Android device type because these options may be located in different places on different devices
- Next, do a factory reset. Click on Settings > Backup & Reset > Factory Data Reset.
This will erase all data on the phone, so make sure everything is backed up before performing the reset.
Extra Measures for Secure Deletion
If you want to additional levels of security to the above recommendations, you can upload random photos and address books you’ve downloaded off the internet after wiping your device. This ‘fake content’ will help to throw off those who might attempt to compromise the encryption of your device.
You can also perform another factory reset after adding fake content to your device. Then you can additional fake content and continue to reset and reload the device with fake content as many times as you would like. Each time you do it, you are adding layers of protection and confusion that protect the original content you had on your phone.
Finally, before you discard or sell your device, always write down the serial number of the device and keep it securely in your records.
Beefing Up Device Security
Even if you aren’t ready to discard your device yet, it’s a good idea to take some simple common sense measures to increase the security around company data on your mobile device. If you do this, it lessens the chance of this information being compromised before or after you discard your mobile device.
Follow these tips for stronger device security:
- Keep the software on your device up to date: Always install software updates as soon as they become available. Many successful data breaches exploit old vulnerabilities that are patched by new updates. Updating you inoculates you against the exploitation of these vulnerabilities.
- Install items with caution: Before installing an app on your device, review all information about the app and check the reviews. Also be wary of granting your apps the ability to read your files, access your camera or listen in to your microphone. Err on the side of rejecting apps and their permissions unless you have both an excellent reason to use the app and strongly believe in the security of the app.
- Review the apps already installed on your phone: This combines the last two tips – always update but also review the apps you update to make sure the app hasn’t grown more vulnerable or actively malicious over time. Additionally, occasionally check the apps on your device to see which permissions they’re using.
- Be prepared to track and lock your device: Use Apple and Android’s “Find My Device” services that give you the ability to locate your device on a map and remotely lock or erase it. You can also set your device to automatically erase all data after a certain number of incorrect attempts to enter the passcode.
- Beware Open WiFi: Anyone else using an open WiFi channel can spy on your online activities without your knowledge. If you’re at all doubtful about a wireless network, don’t connect. You can also install specialized VPN tools that will encrypt your device’s connection to WiFi networks.
Especially when your device holds company data, you want to practice a certain level of sensitivity around that information when you’re upgrading to a new model or getting rid of your phone. The above-listed measures make it easier to protect your company’s data from getting into the wrong hands.