A sales rep at your company puts in their two weeks. They return the company laptop, hand over their badge, and walk out the door. Normal offboarding, right? Except their personal iPhone still has the company email app, a Slack workspace with 18 months of client communications, a Google Drive folder with pricing spreadsheets, and the CRM app with your entire customer database synced locally.

This isn’t a hypothetical. This is the default state of every company that allows employees to use personal devices for work without a BYOD policy or an MDM platform. And it happens every single time someone leaves — whether they quit, get laid off, or get terminated for cause.

The data exposure is immediate and comprehensive. Company email continues to sync until IT manually revokes access — which, without an MDM, requires knowing every service the employee used and revoking access one by one. Slack messages, shared documents, and CRM data may be cached locally on the device even after cloud access is revoked. Photos of whiteboards, screenshots of contracts, and saved attachments live in the device’s camera roll and files app indefinitely.

The legal exposure is even worse. If that employee goes to a competitor, takes client data with them, and your company can’t prove you had policies and controls in place to prevent it, you may have limited legal recourse. If you handle regulated data (healthcare, financial, education), the departure of an unmanaged device with PII on it is a reportable breach under HIPAA, GLBA, or FERPA.

What should have been in place: A written BYOD policy that every employee acknowledges before connecting personal devices to company resources. An MDM platform that creates a managed work container on personal devices, separating company data from personal data. A selective wipe capability that lets IT erase only the work container when someone leaves — without touching personal photos, apps, or messages. An offboarding checklist that includes device access revocation as a same-day action item.

The fix isn’t complicated. Platforms like Jamf, Intune, and Hexnode all support work profile separation and selective wipe. Android has this built into the OS natively with Android Enterprise Work Profiles. Apple supports managed containers through User Enrollment. The technology exists and has existed for years.

The problem isn’t technology. The problem is that most small businesses don’t know they need a BYOD policy until after the data walks out the door. If you have employees using personal devices for work and you don’t have a policy in writing, you don’t have a security posture — you have a liability. Use our BYOD Policy Builder to create your framework in 5 minutes.