A study by Symantec found that almost everyone who finds a lost smartphone will try to access the personal and corporate data inside, and only half will contact the owner.
Symantecs advice to smartphone users? Keep the devices
According to a recent study by the security software vendors,
people who lose their smartphones or other mobile devices in public have a 50
percent chance of ever getting them back. And even if the device is returned,
the person who found the phone most likely rooted around in it for a while,
checking out whatever personal and business data they could find.
The lesson, according to Symantec, is to make sure that
whatever data is on the phone is as secure as it can be.
[I]n many cases, regaining possession of a lost device may
be a losing battle, the Symantec researchers said in the report from the
Symantec Smartphone Honey Stick Project. But protecting the information on it
does not have to be if the right precautions are taken. While devices can be
replaced, loss of control over the information kept on these devices can result
in far greater consequences.
The overall goal of the study was to show users what would
probably happen to their smartphone if they left it in a public placefor
example, a restaurant, mall, airport or taxiand a stranger found the phone.
Given the amount of databoth personal and businessthat people keep on
smartphones today, losing one and having some unknown person pick it up could
have significant consequences, according to Symantec.
The theft or accidental loss of a smartphone can expose
businesses and individuals to loss of any data stored on the device, as well as
data residing in corporate systems or cloud applications to which the device
might have direct connections, according to the report. The use of consumer
smartphones within a corporate environment further complicates the issue of
data protection, as information may flow onto or through devices that are not
fully controlled by the business.
In the seven-day study, conducted by Security Perspectives
Inc., a total of 50 smartphones were intentionally lost in New York City;
Washington, D.C.; Los Angeles; the San Francisco Bay area; and Ottawa, Canada.
Each phone contained apps that spanned everything from social networking and
online banking to photos, passwords and corporate-sounding data, including
human resources, corporate email and a spreadsheet tagged as showing salaries.
None of the apps had any real functionality.
In addition, no security software or featuressuch as
passwordswere enabled on the smartphones. The Symantec researchers wanted to
make them easy to get into.
Logging software was installed so that the researchers could
see what applications were being accessed, and GPS technology was used to track
where the phones went.
The phones10 in each target areawere lost over the course
of several days in such places as elevators, food courts and transit stops, where
high levels of foot traffic were guaranteed.
According to the studys results, 96 percent of lost
smartphones were accessed by those people finding the device89 percent were
accessed for personal apps and information, and another 83 percent for
corporate-related data. Seventy percent were accessed for both, and 50 percent
of the people who found the smartphones contacted the owner and gave them their
own contact information.
Regarding the corporate data, 45 percent of the time, the
finders tried to access the email client, while 53 percent tried to access the
HR Salaries app. Forty percent tried to get into the HR Cases app, and 49
percent tried to access the app named Remote Admin.
This finding demonstrates the high risks posed by an
unmanaged, lost smartphone to sensitive corporate information, the researchers
said in the report. It demonstrates the need for proper security policies and
device/data management. This is especially true in the age of the consumerization
of IT and bring-your-own-device (BYOD) trend, when mobile devices are flowing
into and out of corporate infrastructures at previously unheard of rates. If an
unmanaged, employee-owned device is used for corporate access unbeknownst to
the organization and that device is lost, the consequences of having no control
over that devicefor example, to remotely lock or wipe itcan be devastating.
On the personal side, 72 percent of the finders tried to
access private photos, and 43 percent tried to get into the online banking app.
With the social networking and personal email apps, access to each was tried in
60 percent of the devices.
Sixty-six percent of the time, loggers tried to click through
the log-in or password reset screens, where the user names and passwords were
already filled in.
Of the 50 percent of finders who notified the owner that
their device was found, only 25 percent offered to help the owner get the phone
back. In addition, 68 percent of the finders accessed the smartphone before
moving it, and 5 percent moved the devices, but never tried to access them.
Symantec researchers said businesses need to institute tough
security policies for employees using mobile devices for work, and should focus
more on protecting information rather than only protecting devices. Businesses
also should explain the procedures employees must take when a smartphone is
lost, and should take inventory of what mobile devices are connecting to their
networks. [T]hey cant protect and manage what they dont know about, the