"Whatever apps and information they have on there is still on there — that's the concerning part," David Lingenfelter, information security officer at Fiberlink, told InformationWeek. "The risk varies based on what you end up doing with the device ... if you turn it into your carrier, they'll check to see if there's personal information on there. That's human nature."
According to a study (pdf) by the Cloud Security Alliance, nearly 80 percent of companies report having a policy that addresses mobile devices, but simply having the policy doesn't mean it's being followed. Fiberlink recommends better security education for employees as the best way to avoid unintentionally exposing corporate data. When decommissioning an old device, Fiberlink proposes a four-step process that includes notifying the IT department, transferring data to the new device, extracting all personal data and performing a factory data reset.