Walsh said even that might not be enough, agreeing with those who say the only way to make sure data is destroyed is to destroy the device that held it, which could require an incinerator. "If you want to be truly sure you've gotten rid of all the data on your old mobile device, then even a hammer might not be sufficient to stop a determined adversary," he said.
But Walsh and others say enterprises can minimize their risk with an effective mobile policy that should start with what devices are permitted.
"The enterprise should require that phones and tablets use encryption both for on-device memory and for SD cards," he added. "In that case the policy should require uses to sign an agreement not to modify the encryption settings."
Finally, he recommends that a third party (not the manufacturer) test the permitted devices to, "ensure with forensic tools that the device's built-in local wipe, remote wipe and resetting to factory settings truly removes all traces of data - both with and without encryption."
"Perhaps as an added measure the enterprise could collect and destroy any removable SD cards," he said.
Lingenfelter said if IT is buying used devices, it should, "make sure to perform a factory wipe, make sure OS is valid and make sure it is not rooted or jailbroken. There are tools out there to tell you if you're running factory code. You should also make sure encryption is on, and to replace the SIM and SD cards."
He added that there are also tools available -- some made by his firm -- that can encrypt corporate data separate from the OS, and also wipe all the corporate information without affecting anything else.
Before putting a device up for sale, "do an enterprise wipe," he said.
Sign up for Computerworld eNewsletters.