Smartphone and tablet users are neglecting basic security measures and could be placing sensitive enterprise data at risk if the devices are lost or stolen, according to the findings of recent study.
These devices are providing attackers or even individuals with a back door into your businesses.
director of technology strategy, Sophos Ltd.
A survey of 1,008 consumers in the U.K. found that 36% had lost an electronic device in public. Among the devices lost or left in an unsecure place, 42% had no active security measures.
The survey of consumers ages 16 to 64 was conducted by TNS Omnibus on behalf of U.K.-based security firm Sophos Ltd. Many of those surveyed used their mobile devices for work purposes or mixed purposes (work and personal).
One in five of those lost devices had access to the owner's work email, potentially exposing confidential corporate information, said James Lyne, director of technology strategy at Sophos.
"These devices are providing attackers or even individuals with a back door into your businesses," Lyne said. "They're very integrated into the work place."
Enterprise protection begins with basic mobile device security controls
The statistics should be alarming to consumers and CISOs trying to keep sensitive data locked down despite an increased use of smartphones and tablets in the workplace, Lyne said. The lack of security could be attributed to ignorance and a false belief of security among users. Basic measures of protection fall by the wayside, even though it is easy to secure devices, Lyne said. Patching, passwords and encrypting can make a significant improvement on security.
For businesses, Lyne believes there are a few steps CISOs need to take to create a secure environment. Companies should have a mobile security strategy and should re-evaluate it every six months so security teams are not outpaced by new threats. A mobile device management strategy is helpful in implementing frameworks companies can control, such as how long passwords need to be, and how much time passes before a device locks out.
Security experts say many enterprises have systems already in place that can support basic security controls across various mobile device platforms. Microsoft Active Sync can be used to manage access to email and other data. Lyne said most mobile device management platforms offer similar features in addition to more advanced capabilities. As with a mobile security strategy though, they need to be set up before a mobile device is lost.
Effective user awareness and education is also needed, Lyne said. CISOs should also have a strategy for how they communicate this education. For example, Lyne said it is more effective for CISOs to inform employees how they are putting themselves at risk by being lax on security than it is for the corporate risk to be emphasized.
The Sophos survey reflected the danger to personal information as well. Of people who lost a mobile device, 20% had sensitive personal information, such as national insurance numbers, addresses and dates of birth on it, and over 10% could have revealed payment information, such as credit card numbers and PINs; 35% had access to social networking accounts via applications or Web browser-stored cookies.
Even with security measures in place, enterprises and employees need to face the reality that a lost device may never be found. Fifty-eight percent of those surveyed were never able to recover the lost device, and although one-fifth did locate the device within 24 hours, the return rate dropped significantly after this time, the survey found.
In the case that a device is never recovered, Lyne said the owner can use a Web-based portal to remotely lock the device. A hacker could still break in, however, so another option is to remotely purge the device of all information, which takes just a few seconds.