Have you ever thought about what might happen if you left your smartphone behind? People are naturally curious, but when a lost mobile device is discovered, curiosity can lead to the violation of personal privacy and the exposure of sensitive personal information.
To put this idea to the test, Symantec performed an experiment to see what would happen if they "lost" 50 smartphones in public areas. How many people would try to tamper with the phones and access the data?
A smartphone contains many secrets, and curiosity and voyeurism are difficult to resist. Most people want to see what kinds of secrets are hidden on a lost phone. If you're wondering what would happen to your phone if it got lost, this study will give you a good sense of how the scenario would play out.
The scope of this study involved configuring 50 smartphones for deployment in New York City, Washington D.C., Los Angeles and the San Francisco Bay Area within the U.S., as well as Ottawa, Canada. The devices were intentionally left behind in a number of different environments such as elevators, malls, food courts, public transit stops and other heavily trafficked, publicly accessible locations.
Then Symantec monitored what data and applications were accessed. Here are the results: Symantec tracked what happened to the phones after they were "lost."
- 96 percent of lost smartphones were accessed by the finders of the devices
- 89 percent of devices were accessed for personal related apps and information
- 83 percent of devices were accessed for corporate related apps and information
- 70 percent of devices were accessed for both business and personal related apps and information
- 50 percent of smartphone finders contacted the owner and attempted to return the phone
When a business-connected mobile device is lost, there is more than an 80 percent chance an attempt will be made to breach corporate data and/or networks.
- A total of 83 percent of the devices showed attempts to access corporate-related apps or data.
- Attempts to access a corporate email client occurred on 45 percent of the devices, which could potentially represent an attempt to contact the owner of the device, but still expose sensitive information.
- A file titled “HR Salaries” was accessed on 53 percent of the phones and another titled “HR Cases” was accessed on 40 percent of the devices.
- Attempted access to a “Remote Admin” app was recorded on 49 percent of the devices.
This finding demonstrates the high risks posed by an unmanaged, lost smartphone to sensitive corporate information. It demonstrates the need for proper security policies and device/data management. This is especially true in the age of the consumerization of IT and Bring Your Own Device (BYOD), when mobile devices are flowing into and out of corporate infrastructures at previously unheard of rates. If an unmanaged, employee-owned device is used for corporate access unbeknownst to the organization and that device is lost, the consequences of having no control over that device – for example, to remotely lock or wipe it – can be devastating. In this test, an attempt was made to access at least one of the various apps or files on nearly all – 96 percent – of the devices.
Are you surprised by the results of the experiment? What do you do to secure your data in the event of loss or theft?