Is a Remote-Wipe Policy a Crude Approach to BYOD Security?

While the capability to remotely wipe data from lost or stolen mobile phones may help CIOs sleep at night, it may be an outdated approach to BYOD security.

byod security
Credit: ThinkStock

It's a good bet the Bring Your Own Device (BYOD) policy your employees mindlessly signed gives the right to remotely wipe their lost or stolen phone or tablet. It's an even better bet that they're not OK with it.

Email data protection company ZixCorp commissioned a survey of more than 1,000 employed individuals and found that seven out of 10 would avoid using a personal device for work if they knew an employer could remotely wipe it. Yet two-thirds say they are allowed to use their device to access company information.

Aside from virtual desktop solutions, most BYOD policies have a remote wipe clause granting the employer the right to partially wipe business data or completely wipe the device. This suggests that most employees probably didn't read the fine print of the BYOD policy.

Another Mobile Phone Just Got Wiped

Remote wipes happen more often than you'd think: once every three minutes, according to ZixCorp.

The practice of remote wiping can lead to all kinds of trouble. For instance, mistakes have been made whereby IT has accidentally wiped personal apps, data and pictures from outgoing employees' personal phones. A mobile consultant also raised the possibility of people who run afoul of the law telling their IT department that their BYOD phone was stolen and needs to be wiped, in an attempt to destroy evidence.

[Related: California Cellphone Ruling Poses Big BYOD Challenge ]

The ZixCorp survey also found that two out of five respondents would wait a few hours to a few weeks before reporting a BYOD was missing, because they feared the IT department would do a remote wipe. This essentially creates a window of risk for corporate data loss. At least one financial service company wrote into its BYOD policy that workers must report lost or stolen BYODs within 24 hours — a policy that led to three firings.

On the other hand, remote wiping of personal apps and data can be good for the employee. After all, you don't want your personal information to fall into the hands of thieves.

The CIO of a law firm in California said he remotely and fully wiped a lawyer's stolen BYOD, and the lawyer who initially hated the policy was grateful.

As Usual, the Bad Guys Are a Step Ahead

In the early days of BYOD, CIOs leaned on remote wipe to keep corporate data safe. But this practice seems to be somewhat dated in the era of cloud storage and tech savvy thieves. Today's thieves are quick to turn the stolen device off, put it into airplane mode or throw it in a special box or container that renders connectivity to the device impossible.

[Related: CIOs Face BYOD Hard Reality: Employees Don't Care ]

Some of these methods were even raised by Chief Justice John G. Roberts when rejecting the argument that police need to search phones for evidence right away. The Supreme Court unanimously ruled that police must obtain warrants before searching the digital contents of cellphones taken from people who are placed under arrest, The New York Times reported.

"Even the Supreme Court realizes remote wipe is easy to circumvent," says ZixCorp CEO Rick Spurr. "Remote wipe misses the mark. It's a crude approach."

This story, "Is a Remote-Wipe Policy a Crude Approach to BYOD Security?" was originally published by CIO.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.