The most wonderful time of the year should strike fear into the hearts of security professionals in bring-your-own-device (BYOD) workplaces, a new Blancco Technology Group (BTG) report suggests.
According BTG’s new study, the combination of holiday upgrades and insecure mobile practices open the door for enterprise privacy risks.
The report found 68 percent of respondents were planning to purchase a new smartphone during the holiday season either as a gift or for themselves, while another 10 percent said they were considering a purchase. Nearly a third of mobile users said they would trade in their old device to an operator or manufacturer as part of an upgrade deal, while another 23 percent said they would sell their old handset either online via Amazon, eBay, or Craigslist, or to a physical retailer like Best Buy. Another 22 percent said they’d pass the old device on to family or friends.
But this device recycling presents a security threat for enterprises with BYOD policies in the form of compromised corporate data. More than half of surveyed mobile users told BTG they store both personal and corporate information on their smartphones, while only 42 percent said their company has visibility into which types of corporate data are stored on their devices.
Among the types of work information most likely to be stored on a user’s smartphone were company emails, social and other communication chat histories, customer lists, company price lists, sales and marketing materials, third-party and vendor contracts, department budgets, legal paperwork, and even company login credentials.
BTG said its analysis of 122 second-hand drives and mobile devices from eBay, Amazon, and Gazelle found that 57 percent of those devices had residual data on them despite previous deletion attempts. All told, BTG said it walked away with 179 text messages, 252 instant messages, 75 large photos, and 2 SMS messages.
“Our study’s findings illustrate just how dangerous it can be if personal and corporate data are not properly erased when mobile users ditch their old smartphones for new ones this holiday season,” BTG Chief Strategy Officer Richard Stiennon said. “This is especially true for organizations that allow BYOD within the workplace, as it could leave confidential and oftentimes compromising information at risk of being leaked.”
In its report, BTG said enterprise owners should be “very cautious to understand exactly how the data is wiped from old devices resold to ecommerce sites and proof users are given to show what types of data was erased, the eraser software used, the method used to wipe the data (i.e., factory reset vs. overwriting data vs. another method) and why the data was erased.”
BTG found 46 percent of Android users use the factory reset option to wipe their device before reselling or trading it in, while another 30 percent manually delete all information. Similarly, 30 percent of Apple users said they manually delete information, while another 28 percent reported using the “reset all settings” option and an additional 20 percent said they use the “erase all content and settings” option.
BTG said its report was based on a survey of 1,000 mobile device owners in the United States, Canada, Mexico, United Kingdom, France, Germany, India, Japan, and China. The survey was conducted in September 2016 among users between the ages of 18 and 54.