A mobile test of human threats

Published: July 17, 2012 by bkrenek

Like Blanche Dubois in A Streetcar Named Desire, we’d all like to think that we can depend upon the kindness of strangers.  Unfortunately, Symantec recently reminded us (in case there was any doubt) that strangers are bound to let you down.

In its Smartphone Honey Stick Project, Symantec intentionally “lost” 50 smartphones, all programmed with fake corporate and personal information.  The phones included a tracking device so Symantec could monitor what happened once the devices were found.  The purpose of the test was to assess the human threats to a lost smartphone’s data and the connected corporate systems.  Specifically, Symatec set out to assess the following circumstances:

● Likelihood of a finder attempting to access data on the smartphone
● Likelihood of a finder attempting to access corporate applications and data
● Likelihood of a finder attempting to access personal applications and data
● Likelihood of attempted access to particular types of apps
● Amount of time before a lost smartphone is moved or accessed
● Likelihood of a finder attempting to return a device to its owner

On every count, the results were a disappointment to anyone hoping for better from their fellow mankind.  Bottom line: if you lose your business-connected mobile device, there’s more than an 80% chance that an attempt will be made to breach corporate data and/or networks.  A total of 83% of the devices showed attempts to access corporate-related apps or data, and attempts to access a corporate email client occurred on 45% of the devices.  A file titled “HR Salaries” was accessed on 53% of the phones and another titled “HR Cases” was accessed on 40% of the devices.

The study underscored yet again that businesses must impress upon employees the importance of adhering to strict security guidelines regarding their mobile devices.  What does that look like?  Here are five key reminders:

1. Require that employees use password protection on all electronic devices especially if they use it to access work related files and email.
2. Implement software that allows you to use remote wiping so a device can be killed if its lost or untraceable.
3. Invest in employee training and education about data breaches and the impact it has not only on the business but also on the employees themselves since most people also program their personal information into business devices.
4. Account for every device that has access to your company’s networks and take inventory often so nothing slips through the cracks or gets lost.
5. Use business security software for all your electronic devices and implement a security management program. When a device is lost or stolen, have a recovery system in place so employees know what to do immediately in order to prevent any lost of data.