The use of company mobile phones is jeopardising organisations’ security as employers use them to access and store sensitive business data.
Experts from Glasgow University examined a small sample of low end cell phones returned by employees of a Fortune 500 company and found they were able to retrieve large amounts of sensitive corporate and personal information.
The data the experts retrieved from the handsets included a number of items that could have potentially caused significant security risks. These could have lead to the leakage of valuable intellectual property or exposed the company to legal conflicts.
Researchers were also able to gather a substantial amount of personal information, which they argue could put personal as well as corporate security at risk by encouraging social engineering attacks targeting individuals within a specific company.
Glasgow University Director of Computer Forensics and E-discovery MSc program, Brad Glisson, said the study showed that “relatively featureless” cell phones were putting organisations at risk.
“The amount of corporate information involved is potentially substantial considering that the study targeted low end phones. The type of data stored on corporate mobile devices included corporate and personal information that is potentially putting both the company and the individual at risk."
The amount of data recovered even from limited study gave researchers an indication there is an opportunity to improve policies from social-technical and technological resolution perspectives, he said.
Glisson said appropriate policies and guidelines, to govern use and security of the devices, were needed to keep pace with the on-going development of smart-phones.
Tips to minimise cell phone security risks
- Use a password/PIN, but avoid using auto-complete features that remember names or passwords
- Use secure wireless connections. Avoid public WiFi hotspots and keep optional network connections (WiFi and Bluetooth) turned off except when you are using them
- Don’t access personal or financial data with public WiFi
- Avoid storing sensitive data and use SSL encryption for browsing and webmail whenever possible
- Only download apps from trustworthy sources
- Securely delete data from the device when it comes time to return it