The Security Scrutinizer with Howard Anderson

Experiment Reveals Smart Phone Risks

'Lost' Phones Illustrate the Vulnerabilities
Experiment Reveals Smart Phone Risks

Symantec recently conducted a clever experiment designed to illustrate the security risks involved in using smart phones. The security firm, working in collaboration with Security Perspectives Inc., intentionally "lost" 50 smart phones at various public places in five cities. The devices were loaded with simulated corporate and personal data. And Symantec had the ability to remotely monitor what happened to each device once it was found.

The result? Only half of those who found one of the phones made any attempt to return it. And information on 96 percent of the lost phones was accessed by their finders. Here are the details:

See Also: Live Webinar | Navigating Identity Threats: Detection & Response Strategies for Modern Security Challenges

  • Sixty percent of the finders attempted to view social media information and e-mail on the devices.
  • Eighty percent tried to access corporate information, including files clearly marked as "HR Salaries and "HR Cases."
  • Half tried to run an application labeled as "Remote Admin," simulating access to a remote computer or network.

In a blog on the mobile device experiment, Kevin Haley of Symantec notes: "The point of all this is not to say that people are bad. It's that people are naturally curious, and when temptation is put in front of them, they tend to bite the apple."

Lessons Learned

So what are the lesson learned here? Haley says that if these phones had been password-protected, casual finders would not have trolled through the data. Also, the experiment highlights the value of programs that remotely wipe data as well as applications that help locate devices when they're lost or stolen.

Surely, implementing passwords, remote wipe capability and device-finder software are simple steps that every organization should take, whether their staff members are using corporate-owned or personally-owned devices for work-related purposes. After all, phones are very easy to lose and are commonly stolen.

But the folks at Symantec suggest further steps, including password-enabled screen locks; focusing on protecting data, as well as devices; educating employees about addressing the risks involved in using smart phones; and implementing a mobile device management application to help with administering controls and monitoring devices.

At a time when government agencies, such as the Department of Veterans Affairs, as well as financial institutions, hospitals and others are gradually shifting from desktop to mobile devices, it's important to take sufficient steps to ensure the information on those devices - including links to corporate networks - remains secure. Another important step is to minimize the amount of data actually stored on the devices.

Otherwise, one lost phone could ring up plenty of headaches.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.