Sensitive data and your mobile phone policy

Mobile security

Recent research highlighted a worrying fact: more than half of mobile phone users leave sensitive data on their devices after disposing of them. While its easy to assume this is just a case of consumers ignoring the importance of removing all data from their mobiles when getting rid of them, the are increasingly leaving sensitive business information in situ too.

The study by CPP Life Assistance Products showed 54 per cent of second-hand mobile phones contain personal data, ranging from contacts, to emails and even PINs and passwords.

The research also revealed some 247 instances of personal data had been left on a range of mobile phones and SIM cards. This is despite more than 80 per cent of those surveyed claiming they had wiped the information from their phones before getting rid of them.

One of the biggest problems in business, especially when using CRM applications on devices connected to a server (such as a Blackberry running on BES), is that sensitive customer data falling into the wrong hands can have serious legal and financial implications. Then there's the negative publicity to contend with, too.

"With the rise of smartphones, the most risky data is email as this is one of the most ubiquitous applications on such a device," said Rene Millman, senior research analyst at Gartner.

"A lot of people store phone numbers, usernames, and passwords on email as it is an ad hoc database of personal information for a lot of people. And searchable too. If it makes it easy for you to find data then inevitably it will be easy for someone else to access this as well."

Any scrap of data left on a phone could, in theory and most likely in practice too, allow a criminal to piece together your identity and thus make it easier to use this information to sell onto other criminals or use the data to obtain things such as credit cards and loans, according to Millman.

"A series of text messages or contacts or emails all have revealing data about yourself and people who know you," he said. "That's why it's important to wipe this data as soon as you get rid of a phone. Trouble is, the phone manufacturers always hide this option to wipe data away in obscure places."

To wipe all the data from your phone, you'll also have to know the administrator password in most cases, making the task a lot more difficult to do without the support of a 24-hour IT department.

But how can you protect yourself and your employees from getting into trouble?

"The safest way to remove all of your data from a mobile phone or SIM card is to totally destroy the SIM and double check to ensure that all content has been removed from your phone before disposal," said Jason Hart, senior vice president of CRYPTOCard, the company commissioned to carry out CPP's research.

"With new technology does come new risks and our experiment found that newer smartphones have more capabilities to store information and that information is much easier to recover than on traditional mobiles due to the increase of applications."

To ensure you are removing as much of the data from your device as possible, you should first restore all factory settings. As factory resets can sometimes leave data on a device, you'll also need to log out and delete all social networking applications, sites and company networks.

Next, remove and physically destroy your SIM card there's still a lot of data stored on SIM cards and the only way to wipe it is by destroying them.

You should also delete all back-ups because even if your data is securely removed from the mobile device, it can continue to exist on a back-up somewhere else, especially with cloud back-up services linked to many smartphone back-up systems.

Security is one of the main reasons a company would choose a particular smartphone platform over another, and although attempts to make security paramount, some are more successful than others.

Apple's application approval process is pretty locked-down and very few applications that could pose a potential security risk can get through the system. This includes those that would store more sensitive information than is safe and those that feature embedded malware.

However, the platform is popular too so will be on the radar of most cyber criminals looking for chinks in the armour.

Android has a more laissezfaire attitude to OKing apps and we have seen already a few malware-laden apps creep through onto phones.

Apple and Blackberry both have good remote wipe functionality and this is why you see more of these devices in the corporate arena. Android devices will be more prominent in the future as this functionality becomes more widespread too.

While the services offered by the smartphone manufacturers are adequate in most cases, the way the data is deleted isn't the most important factor to consider when trying to keep your data safe, according to Millman.

"More importantly, it is the time between losing the phone and doing something to erase the data that's important," he said. "The smaller the timeframe, the less chance someone has to access and copy this data."

In a business environment, this is even more important than it is for consumers, especially if an employee is leaving the company.

"As always, these phones should be wiped the moment the employee leaves the company or the employee loses the phone," Millman added.

"It's something that many security companies have tried to solve over the years and quite frankly most of them haven't cracked the problem using technology as it is more to do with the people and processes around. Technology can only go so far, education is the key to stopping information leakage."

Millman added: "Any endpoint that is not properly protected will be a risk to an organisation. This is true of both desktop computers and mobile devices," said Millman.

"As we have seen laptops can be left in taxis, desktop computers can have keyboard loggers attached to them and phones can be stolen easily. Any CIO has to weigh up the risk of losing a device against the benefits it gives to a company and secure accordingly."

Smartphones are certainly becoming a bigger a target as they become more advanced and users become more dependent on such devices. Although they offer a different access and computing model to traditional PCs and laptops, the way in which companies view the threats and the way in which data is wiped, should be as tough as the policies that are used to govern desktop security.

IBM concurs with such thinking.

"You have to have a set of policies for how corporate data should be managed on a laptop. Can you include those same policies when that data finds its way onto a tablet?" Tom Cross IBM X-Force's threat intelligence manager, said back in March at the company's Pulse event in Las Vegas.

"[Ask] what are my policies for information use and how can I apply them to these devices and what tools can I use to enforce these policies?"

IBM conducted research into how businesses tackle mobile security and discovered that more than a third (36 per cent) felt their organisation's approach wasn't up to scratch. That's particularly worrying given almost three-quarters (73 per cent) said such devices can freely connect to their corporate networks.

"Security has to be a forethought, not an after thought," added IBM's Scott Hebner.

"And you have to empower everybody, you can't just have the chief security officer (CSO) looking after the security policy. That won't work."

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.