A bold mobile security experiment carried out recently by Symantec Canada found that good Samaritans aren’t just nice people — they’re intrusively curious too.
Symantec deliberately lost 60 smartphones across six major cities in Canada to see what would happen to the fake personal and business data they loaded onto the devices. The results of the so-called “Honey Stick” project were startling. Although slightly more than half of the people who found the phones tried to return them, the vast majority still accessed the devices and rifled through the data they contained.
“One of the key findings in this study is that there is a very high likelihood that attempts to access both sensitive personal and business-related information will be made if a lost and unprotected smartphone is found by a stranger,” the report states.
In fact, 93 percent of the phones lost were accessed by those who found them. In addition, 83 percent of those who found a phone accessed the owner’s personal information and apps and 63 percent searched through corporate apps and data. Even a large number of the 55 percent of people who tried to return the lost phone accessed personal and corporate data before doing so.
Symantec hired an independent security researcher to load the phones with mock data, including personal, business and financial information, as well as personal and business apps, and “lose” them across a large geographic area. The phones were deliberately lost in Vancouver, Calgary, Toronto, Ottawa, Montreal and Halifax. Researchers placed them in various locations, such as elevators, malls, food courts and public transportation. None of the devices was password-protected or had a screen lock enabled.
What these unsuspecting individuals found when they looked through the devices included personal and business apps for social networking, online banking, webmail and corporate email. Also included were spreadsheets for phony human resources salary data, as well as a password file, cloud-based documents and a remote administration app.
A total of 42 percent of the phones showed attempts to access the HR salary data file, and 28 percent recorded efforts to look through corporate emails. More than half — 52 percent — opened the password file and another 35 percent clicked on the online banking app.
The journey of “Phone #32” offers a glimpse into the life of a lost or stolen smartphone. Left on a bus bench in Calgary, Phone #32 went on a 4-day journey before disappearing. During that time, however, the finder nonchalantly searched through the phone’s social networking, passwords, webmail and online banking apps.
Symantec recommends enterprises develop strong security policies governing mobile devices, even for bring-your-own-device environments, including requiring strong passwords for screen locks and mobile device management tools to automate security procedures when a device is lost or stolen. But the mobile security environment is becoming tougher to manage, according to a separate survey by Symantec in the U.S. With the average Internet user struggling to remember on average 26 different passwords, getting mobile users to set strong passwords on their personal smartphones is a challenge.
“Thirty-eight percent of people surveyed would rather clean a toilet than come up with a new password,” the survey said.
And according to Gartner, companies are making security measures too difficult for employees to comply with. The result is that by 2016, overly restrictive mobile device management measures will cause 20 percent of enterprise BYOD programs to fail, according to the consulting firm.