Sensitive data and your mobile phone policy

Just how secure is the data on your mobile when you perform a restore? Not very, we discovered.

Mobile security

Recent research highlighted a worrying fact: more than half of mobile phone users leave sensitive data on their devices after disposing of them. While its easy to assume this is just a case of consumers ignoring the importance of removing all data from their mobiles when getting rid of them, the are increasingly leaving sensitive business information in situ too.

Advertisement - Article continues below

The study by CPP Life Assistance Products showed 54 per cent of second-hand mobile phones contain personal data, ranging from contacts, to emails and even PINs and passwords.

The research also revealed some 247 instances of personal data had been left on a range of mobile phones and SIM cards. This is despite more than 80 per cent of those surveyed claiming they had wiped the information from their phones before getting rid of them.

One of the biggest problems in business, especially when using CRM applications on devices connected to a server (such as a Blackberry running on BES), is that sensitive customer data falling into the wrong hands can have serious legal and financial implications. Then there's the negative publicity to contend with, too.

"With the rise of smartphones, the most risky data is email as this is one of the most ubiquitous applications on such a device," said Rene Millman, senior research analyst at Gartner.

Advertisement - Article continues below
Advertisement - Article continues below

"A lot of people store phone numbers, usernames, and passwords on email as it is an ad hoc database of personal information for a lot of people. And searchable too. If it makes it easy for you to find data then inevitably it will be easy for someone else to access this as well."

Any scrap of data left on a phone could, in theory and most likely in practice too, allow a criminal to piece together your identity and thus make it easier to use this information to sell onto other criminals or use the data to obtain things such as credit cards and loans, according to Millman.

"A series of text messages or contacts or emails all have revealing data about yourself and people who know you," he said. "That's why it's important to wipe this data as soon as you get rid of a phone. Trouble is, the phone manufacturers always hide this option to wipe data away in obscure places."

Advertisement - Article continues below

To wipe all the data from your phone, you'll also have to know the administrator password in most cases, making the task a lot more difficult to do without the support of a 24-hour IT department.

But how can you protect yourself and your employees from getting into trouble?

"The safest way to remove all of your data from a mobile phone or SIM card is to totally destroy the SIM and double check to ensure that all content has been removed from your phone before disposal," said Jason Hart, senior vice president of CRYPTOCard, the company commissioned to carry out CPP's research.

"With new technology does come new risks and our experiment found that newer smartphones have more capabilities to store information and that information is much easier to recover than on traditional mobiles due to the increase of applications."

Advertisement - Article continues below

To ensure you are removing as much of the data from your device as possible, you should first restore all factory settings. As factory resets can sometimes leave data on a device, you'll also need to log out and delete all social networking applications, sites and company networks.

Advertisement - Article continues below

Next, remove and physically destroy your SIM card there's still a lot of data stored on SIM cards and the only way to wipe it is by destroying them.

You should also delete all back-ups because even if your data is securely removed from the mobile device, it can continue to exist on a back-up somewhere else, especially with cloud back-up services linked to many smartphone back-up systems.

Security is one of the main reasons a company would choose a particular smartphone platform over another, and although attempts to make security paramount, some are more successful than others.

Apple's application approval process is pretty locked-down and very few applications that could pose a potential security risk can get through the system. This includes those that would store more sensitive information than is safe and those that feature embedded malware.

However, the platform is popular too so will be on the radar of most cyber criminals looking for chinks in the armour.

Advertisement - Article continues below

Android has a more laissezfaire attitude to OKing apps and we have seen already a few malware-laden apps creep through onto phones.

Apple and Blackberry both have good remote wipe functionality and this is why you see more of these devices in the corporate arena. Android devices will be more prominent in the future as this functionality becomes more widespread too.

While the services offered by the smartphone manufacturers are adequate in most cases, the way the data is deleted isn't the most important factor to consider when trying to keep your data safe, according to Millman.

Advertisement - Article continues below

"More importantly, it is the time between losing the phone and doing something to erase the data that's important," he said. "The smaller the timeframe, the less chance someone has to access and copy this data."

In a business environment, this is even more important than it is for consumers, especially if an employee is leaving the company.

Advertisement - Article continues below

"As always, these phones should be wiped the moment the employee leaves the company or the employee loses the phone," Millman added.

"It's something that many security companies have tried to solve over the years and quite frankly most of them haven't cracked the problem using technology as it is more to do with the people and processes around. Technology can only go so far, education is the key to stopping information leakage."

Millman added: "Any endpoint that is not properly protected will be a risk to an organisation. This is true of both desktop computers and mobile devices," said Millman.

"As we have seen laptops can be left in taxis, desktop computers can have keyboard loggers attached to them and phones can be stolen easily. Any CIO has to weigh up the risk of losing a device against the benefits it gives to a company and secure accordingly."

Smartphones are certainly becoming a bigger a target as they become more advanced and users become more dependent on such devices. Although they offer a different access and computing model to traditional PCs and laptops, the way in which companies view the threats and the way in which data is wiped, should be as tough as the policies that are used to govern desktop security.

Advertisement - Article continues below

IBM concurs with such thinking.

"You have to have a set of policies for how corporate data should be managed on a laptop. Can you include those same policies when that data finds its way onto a tablet?" Tom Cross IBM X-Force's threat intelligence manager, said back in March at the company's Pulse event in Las Vegas.

"[Ask] what are my policies for information use and how can I apply them to these devices and what tools can I use to enforce these policies?"

IBM conducted research into how businesses tackle mobile security and discovered that more than a third (36 per cent) felt their organisation's approach wasn't up to scratch. That's particularly worrying given almost three-quarters (73 per cent) said such devices can freely connect to their corporate networks.

"Security has to be a forethought, not an after thought," added IBM's Scott Hebner.

"And you have to empower everybody, you can't just have the chief security officer (CSO) looking after the security policy. That won't work."

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020