5 Takeaways from the Symantec Smartphone Honeystick Project
Most of us know not to click on questionable links or enter personal information on sketchy-looking websites. But people can be remarkably cavalier about phone security, and phones are easier to lose than laptops. Data security on smartphones is every bit as important as that on machines used in a desktop environment - potentially more so, since there's no telling who might find a phone in a dressing room, food court, or backseat of a cab.
In 2012, Symantec carried out the Smartphone Honeystick Project, in which they loaded up
50 phones with simulated personal and corporate data, and then "lost" them in five cities. The phones were outfitted with remote monitoring capability so Symantec could see what happened to them. All but two of the devices were found, and not even half the finders attempted to locate an owner. Here are 5 key takeaways from the Symantec Smartphone Honeystick Project and what they mean for phone security. It's worth noting that all of these also apply if you deliberately stop using a phone, in order to upgrade, for example. 1. Finders Go for the Good Stuff Right Away On found phones, nearly half of finders accessed a fake "remote admin" application, and 45% of found devices logged attempts to read corporate email. More than half of phones' "saved passwords" files were accessed, and on over 60% of the phones, access to social networking and personal email were attempted. Two-thirds of finders attempted to click through login or password reset screens (in which username and password fields were pre-filled with bogus information). Bottom line: if someone finds your phone, they'll go through it. 2. Even Those Who Tried to Return the Phone Tried to Access Data First Although only just under half of finders attempted to locate a phone's owner, even these people tried to look at the data on them. Naturally, someone attempting to find an owner will access certain phone functions to try to learn who a phone belongs to, but generally these finders were more curious than strictly necessary. Sixty percent tried to view social media and email information, and 80% tried to access corporate information with enticing filenames like "HR Salaries" and "HR Cases." 3. Everyone Should Take Two Steps to Increase Phone Security A Federal Reserve survey from 2014 found that 51% of smartphone users use mobile banking, and 24% make mobile payments. Password protection can go a long way toward improving data security on your phone. This prevents the casual finder from perusing your data. Setting up the ability to remotely wipe data from a lost device can also increase phone security. That way, even if your phone is found by a determined person who managed to get by your password, there would be no data on the device for them to find. 4. Businesses Need a Data Security Plan for Lost or Stolen Phones
Every business that issues phones or has a Bring Your Own Device (BYOD) policy should have a comprehensive plan for when phones are lost or stolen, including: • Requiring password-enabled screen locks • Educating employees about mobile device risks • Inventorying mobile devices connected to the company network • Having a set process everyone follows if a device is lost or stolen • Making mobile device security an integral part of overall corporate security 5. If You Use Two-Factor Authentication and Lose Your Phone More people are using two-factor authentication that requires use of a phone to access accounts or applications, and this is good, but what if the phone you use for two-factor authentication is lost or stolen? The best cure is prevention in the form of taking backup options offered by the accounts or apps. With Google apps, for example, you can have access codes sent to backup phones, use a one-time printable backup code to sign in, or sign in from a trusted computer and turn off two-factor verification until you can get verification codes again. Two-factor authentication is good, but you have to give yourself backup options in case you lose your phone. Conclusion Smartphones are heavily integrated into our everyday and work lives, and in some ways, they contain more valuable information than our wallets do, like links to financial services or sensitive corporate data. The Symantec Smartphone Honeystick Project makes it clear that people try to access data on smartphones they find, whether or not they attempt to locate the owner. Using screen password protection, enabling remote data wiping capability, and having corporate policies covering mobile data security are essential to protecting what's on our smartphones. The very idea of phone security may seem odd to those who didn't grow up with mobile devices, but it's something that must be taken seriously if we're to have robust data security.