Simply Security - News, Views, and Opinions from Trend Micro

Posted on April 3rd, 2012 in Mobility, Research by Simply Security | Be the first to comment | Tags: Policy

Lost and stolen mobile devices are much more than an inconvenience, they are becoming a primary data security vulnerability.

Business professionals have heard time and again that a lost or stolen smartphone or tablet can become a serious liability. Researchers from Symantec have put these advisories into context after a recent simulation in which 50 smartphones were intentionally left behind in public places and then remotely monitored to track resulting actions.

Stories of lost or stolen mobile devices are much more than IT department scare tactics, as smartphones and tablets go missing every day. They can slip out of a coat pocket and get left behind on the subway or they can be stolen from a cafe table when the owner steps away from the table. And as business professionals begin to carry increasingly sensitive workloads on these devices, the potential dangers have grown in step.

In partnership with Security Perspectives, Symantec researchers planted the "lost" smartphones across five large North American cities in locations ranging from mall food courts and elevators to public transit stops. Perhaps the most important revelation was the fact that there was only a 50 percent chance that the person who discovered the phone made any attempt to return it to the original owner.

"Maybe you think that having a 50/50 chance of getting a phone back is a glass-half-full situation. Sorry, but I have to drain your glass: Even the people who attempted to return the phones made attempts to view the data on them," Symantec Security Response director Kevin Haley explained. "In fact, 96 percent of our lost smartphones were accessed by their finders."

By remotely monitoring the implanted devices, analysts discovered that many finders went well beyond searching for the owner's contact information. Six out of 10 attempted to access social media and email accounts, and eight out of 10 opened dummy files labeled "HR Salaries" and "HR Cases."

Aside from merely accessing the owner's sensitive information, half of all finders took the bait and tried to run a "Remote Admin" application that was placed on the home screen. Hypothetically, this would have allowed the operator to access corporate networks and devices.

Although these findings are discouraging, it is important to note the much of this malicious activity could be prevented by mobile device management fundamentals.

"Just giving the phone password-based security would have prevented the casual finder from trolling through the data," Haley explained. "The second thing is to have the ability to remotely wipe the data off the phones once it had been lost."

With a growing body of knowledge contributed to the formation of mobile security best practices, companies can no longer plead ignorance when designing practices and protocols to lock down all endpoints. Unfortunately, IT progress often lags behind enterprise mobility trends.

In a recent survey of more than 600 business decision-makers conducted by independent researchers from Compass Partners, analysts found that 80 percent of small and medium-sized companies have employees that work remotely. While laptops are the primary computing devices, smartphones and tablets have garnered a healthy amount of support as well, at 63 percent and 30 percent, respectively. Unfortunately, many respondents indicated that they currently employ a more laissez-faire style of governance that assumes workers understand the risks of accessing sensitive information outside of the office.

Compass analysts found that 87 percent of respondents lack a formal policy for the use of personal devices for work purposes. This lack of internal regulation is especially surprising considering the survey sample was focused primarily in the legal, medical, financial services and real estate sectors. For instance, 78 percent of attorneys suggested that they were either "not at all concerned, not that concerned or only somewhat concerned" by the potential data security consequences of their employees' mobile work habits.

This attitude seems to have trickled down to their disaster recovery plans as well. One-third of survey respondents indicated that they let their employees choose the best way of backing up client and company data on their devices, and the majority of companies lack data recovery protocol that stands up to modern business standards.

"If employees are using personal devices for work, companies should consider what kind of work can be performed on their devices, and how to ensure that confidential information is not at risk if the device is lost or stolen," research sponsor Gytis Barzdukas noted. "If your company doesn't have a backup and data recovery policy today, they really should put even a basic plan in place."

As corporate data continues to find its way onto an ever-expanding range and volume of devices, IT professionals are quickly realizing the shortcomings of current strategies. But while mobile device management solutions are becoming a key component of data protection plans, implementing a more data-centric approach that utilizes solutions like enhanced encryption may also be a smart complement.

Data Security News from SimplySecurity.com by Trend Micro