Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2014-07-09 20:00:00Format, images and links may no longer function correctly.
The overwhelming majority of corporations allow users to connect their personal smart phones to access work email and apps, called a Bring Your Own Device or BYOD policy. As I was publishing the results of my 2014 Mobile Discovery Survey, I ran across a rather inflammatory blog by security software company Avast! that detailed all the personal information retrieved from 20 Android phones that users had sold on eBay. I have heard stories from several security specialists concerning overseas hackers who set up web sites to troll for used phones from users with email addresses that match to company domains. I have never been able to corroborate those stories with any published stories or studies, but I long since updated client termination and BYOD policies and practices to make sure that outdated phones were wiped properly. The crux of Avast!’s bit of fear mongering is that a simple factory reset or even a remote ‘wipe’ will NOT actually delete or overwrite data on an Android OS phone. Ars Technica has a nice plain language explanation though some of their information was a bit out of date. The key point is that without encrypting the phones, the information is still there and can be recovered with forensic or even simple commercial software. Given that 21.4% of survey respondents (N=28) rely on users to manage mobile device security and access, this does raise a serious concern for corporations.
It is too early to know if there will be any civil discovery fallout from the recent Supreme Court ruling that requires search warrants for searches of cell phones in criminal cases. We are watching this closely to see if the new ‘expectation of privacy’ will extend into the corporate domain and challenge the BYOD assumption that users give the company discovery access when they connect to company systems with their personal devices. This is good news to Symantec and other mobile security providers who are working hard to segregate corporate data with Mobile Device Management (MDM) and Mobile Application Management (MAM) systems. Mobile devices represent one of the primary security exposure risks for data loss and system penetration. This is why many high security sites ban them altogether. That is not practical in a modern corporate world filled with remote users, executives on the go and widely diverse corporate campuses. Employees won’t stand to be disconnected from their social networks and personal lives, which depend on their phones.
So make sure that your phone is encrypted and properly wipe it before you trade it in or sell it off. Remember that administrators can reset the admin PIN on a phone through the Microsoft ActiveSync controls or any MDM software after that phone has been registered on the network. This means that you can access an encrypted user phone without getting the PIN from them. Mobile device discovery and proper Information Governance of BYOD is a moving target. So keep up to speed and I will do my best to relay new information as it happens.
Greg Buckles can be reached at Greg@eDJGroupInc.com for offline comment, questions or consulting. His active research topics include mobile device discovery, the discovery impact of the cloud, Microsoft’s 2013 eDiscovery Center and multi-matter discovery. Recent consulting engagements include managing preservation during enterprise migrations, legacy tape eliminations, retention enablement and many more.
eDJ’s monthly survey on Analytics Adoption for Consumers AND Providers is almost closed! Take it to get premium access to profiles and access to the results!