By Brad Glisson
Experts from the University of Glasgow looked at a sample of mobile phones returned by the employees from one Fortune 500 company and found that they were able to retrieve large amounts of sensitive corporate and personal information. The loss of data such as this has potential security risks, inviting breaches on both an individual and corporate level.
The data yielded by this study on 32 handsets included a number of items that could potentially cause significant security risks and, lead to the leakage of valuable intellectual property or exposed the company to legal conflicts.
The study is an important step in proving that the increasing use of mobile devices in the corporate environments may be jeopardising security and compromising country specific data protection legislation.
Researchers believe that current policy and process that govern data security are not keeping pace with the growth of smartphone use with the corporate sector, a figure that was estimated to have increased by 22% in 2011 alone.
The study also highlighted that a substantial amount of personal information was retrievable from corporate handsets, which may also put personal as well as corporate security at risk by encouraging social engineering attacks targeting individuals within a specific country.
This study indicates that relatively featureless mobile phones are putting organisations at significant potential risk. The amount of corporate information involved is potentially substantial considering that the study targeted low end phones. The type of data stored on corporate mobile devices included corporate and personal information that is potentially putting both the company and the individual at risk.
The amount of data that we recovered even from this limited study gives us an indication that there is an opportunity to improve policies from social-technical and technological resolution perspectives.
This exploratory case study clearly demonstrates the need for appropriate policies and guidelines governing use, security and investigation of these devices as part of an overall business model. This becomes even more apparent as businesses gravitate towards the cloud.
About the author
Dr Brad Glisson is Director of the Computer Forensics and E-discovery MSc program at the University of Glasgow. The study was presented at the 19th Americas Conference on Information Systems and published in the Association for Information Systems journal. Full text available here: http://arxiv.org/abs/1309.0521 .