Symantec recently published the results of what it called the Honey Stick Project. Symantec took 50 smartphones and loaded them with a collection of simulated corporate and personal data. Symantec also made sure it could track the location of the lost devices, as well as monitor what happened to them once they were found. The data collected for apps on each device included the device's ID, the names of the applications accessed, and what time each app was accessed.
According to Symantec, the devices were not password-locked and had easily accessible owner information (phone number, email address, etc.). The goal of the study was to assess what typically happens when a person comes across a lost smartphone.
The 50 smartphones were sprinkled at random public locations around New York City, Washington D.C., Los Angeles, San Francisco, and Ottawa. Symantec said it picked highly trafficked areas, such as elevators, malls, food courts, and public transit stops. Then Symantec sat back to watch what happened. You might want to sit down before you read the results.
[ Letting employees use their own devices at work has its advantages, but security must be managed. Read more at 3 Bring Your Own Device Risks For SMBs. ]
First, 96% of the lost smartphones were accessed by those who found them. What were those people looking for? Well, 89% of the device finders accessed personal data, 83% accessed corporate data, and 70% accessed both personal and corporate data. Only 50% of those who found the lost smartphones contacted the owner about returning the device -- but not until they accessed the owner's personal and corporate data.
Attempts to access a private photo app occurred on 72% of the devices, attempts to access an online banking app was observed on 43% of the devices, and attempts to access social networking accounts and personal email took place on over 60% of the devices.
Symantec also put some juicy files on each device, such as HR Salaries, HR Cases, and Saved Passwords. The HR Salaries file was accessed on 53% of the phones, the HR Cases file was accessed on 40% of the devices, and the Saved Passwords file was accessed on 57% of the phones.
Here's the real scary part: 66% of the devices recorded attempts to reset the device password.
There are a lot of interesting data points here for enterprise IT folks to consider. Lost smartphones pose a real threat to corporate security. The easiest way to forestall the breaches described above is to require passwords to unlock the smartphone. Even a four-digit PIN will deter most who stumble on a lost device. Sure, savvier people might be able to bypass a PIN, but almost any normal password (mix of upper/lower case letters with numbers) will prevent corporate and personal data from falling into the wrong hands.
Take device security seriously, people!
InformationWeek is conducting a survey to determine the types of measures and policies IT is taking to ensure the security of the full range of mobile assets on cellular, Wi-Fi, and other wireless technologies. Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our Mobile Security Survey now. Survey ends March 16.