Data Security and Mobile Devices – Technology and Policy for Advanced Mobile Devices

By Markku Willgren, Blancco

When it comes to safely managing advanced mobile devices in the workplace, information technology (IT) asset and security managers face a number of threats to data security. To protect sensitive and proprietary business information, experts advise the development of a strong mobile device policy. With many employees now allowed or encouraged to use personal devices for business purposes, this policy must encompass a complex set of scenarios.

While data threats from mobile devices like smartphones and tablets are often thought of in terms of malware, phishing, and spyware attacks, improper decommissioning of used devices may present an even bigger security issue. Governing bodies like the European Network and Information Security Agency (ENISA), for example, find that improper decommissioning of smartphones without a full data wipe poses one of the highest risks to information safety, yet those devices are not subject to many of the erasure processes now in place for used hard drives. This is especially troubling in light of analyst predictions that more than 100 million mobile phones per year are now recycled.

As part of a robust policy for mobile devices in the workplace, businesses need to fully understand the risks associated with improper decommissioning in the event a smartphone or tablet is disposed, reassigned or sent for recycling. To support this policy, adhere to regulatory requirements for asset disposal, and achieve complete security for mobile devices, certified erasure products provide verifiable proof of data removal. Reputable IT asset disposal (ITAD) partners use such software. Backed by knowledge and the right technology or technology provider, IT asset managers can implement policies for both business- and employee-owned mobile devices.

Small Devices, Big Risks

Mobile devices hold a wealth of information despite their small size, with some smartphones and tablets having internal memory up to 64 GB. As these memory rich devices become smarter, helping people become more productive in both work and personal tasks, they are more likely to contain emails, customer data, passwords and other sensitive information that could lead to data breaches if disposed of without first erasing the information.

For example, a 2009 survey showed that 99% of people use their phones for some type of business use. Seventy-seven percent of those in the survey used their phones to hold business names and addresses, 23% stored customer data, and 17% downloaded corporate information like documents and spreadsheets.

As the pace of technology refreshes for mobile devices escalates, so does the opportunity for data breach. Research shows that personal and business data from smartphones and tablets does make its way to the secondhand market. A 2008 survey found that one in five mobile communications devices in the recycled market still held sensitive information, while recent informal surveys have seen numbers as high as 60% to 99%.

The repercussions of a data breach from a tablet or smartphone are just as severe as if it originated from a server or laptop. Not only does a business or organization risk its corporate reputation, it can also incur industry specific regulatory fines like those for revealing credit card and other personal customer data under the Payment Card Industry Data Security Standard (PCI DSS) or protected personal health information (PHI) under HIPAA. For example, businesses can modify smartphones to become a credit card terminal. Also, some studies show that 80% of U.S. doctors now use smartphones and medical applications in their daily practice.

Technology to Mitigate Data Breach

Given the serious potential for data breach, business and ITADs need a failsafe method for removing all information from mobile devices. This goes beyond simply destroying the SIM card to include erasure of internal memory and external memory, which are not as easily accessible. While many users may assume that resetting a smartphone back to factory defaults will destroy data in internal memory, the data actually still exists there in some cases. Although a novice may find the data difficult to recover, a skilled hacker or computer forensic expert could access it. In addition, while removing a smartphone’s SIM card stops it from communicating with the network, it does not erase internal memory.

One method of removing data is with software that overwrites the device’s memory with a pattern of 1s and 0s. Some manufacturer applications use this technique, but these apps do not provide a critical element – a verifiable report with electronic serial numbers and other hardware details that prove the data is gone, which is necessary for regulatory compliance and a risk-free resale of the device. In addition, these apps only work with the particular device’s operating system and are manually executed.

Certified data erasure is a type of overwriting software that automatically generates a detailed erasure report. Also, its process supports overwriting standards like HMG Infosec and DoD 5220.22-M, as well as internationally recognized certifications from organizations like TÜV SÜD in Germany.

Another important feature of certified data erasure software is that it is capable of erasing different types of smartphones and tablets, ranging from iPhones and iPads to Symbian, Android, Windows, and Blackberry, which is increasingly important as varying types of personal devices make their way into the workplace. In addition, this software can erase internal and external memory on up to 200 mobile devices at one time, depending on the set-up configuration. It also automatically sends the erasure reports to a central console, creating more productive IT or ITAD staff and operations.

Business-owned Devices and Mobile Policy

While choosing the correct technology for removing all data from mobile devices is important, it is equally important that this technology is employed as part of strong mobile device policy for employees. If the device is owned by the organization, it should adhere to the same end-of-lifecycle or reuse policy regarding data removal as required for corporate laptops and other computing devices.

For example, if an organization wants to sell, donate or reassign a smartphone or tablet, it should use certified data erasure to remove the information before the device leaves the business premises, as IAITAM best practices recommend. To do so, the organization’s internal IT staff can run the erasure software. Alternatively, the company can turn to an ITAD with on-site services for certified data erasure, or one that supports secure transport of the mobile devices to their facility for certified erasure. The IT staff or asset manager can then match the serialized erasure report with the inventory to create an audit trail that proves all data has been cleared.

Personal Devices as Part of Mobile Policy

More and more personal devices are now used for work purposes, and the trend is expected to continue. Gartner predicts that by 2013, 80% of businesses will support corporate applications on personal devices, creating a complex scenario for protecting sensitive business information.

Many organizations have found that selecting and using a mobile device based on personal preference can make an employee happier and more productive, as well as offset mobile device management and support costs for their business. However, these benefits come with a security risk, especially if the proper policies are not in place, especially at vulnerable transition points, as when the device’s ownership changes hands.

A mobile device policy needs a specific section addressing requirements for using a personal mobile device for work purposes. This policy should involve the employee’s registration of the device by serial number with the IT staff, which can monitor its status in accessing corporate data.

The policy also necessitates a written sign-off from employees guaranteeing they will surrender the mobile device for erasure before it is disposed or upgraded to a new model, as with a typical technology refresh through a wireless carrier agreement. The erasure will occur after sensitive business information has been downloaded from the device.

While an organization may not provide general support for a personal mobile device, it should, as a minimum security measure, provide a do-it-yourself certified data erasure tool for employees to perform the task if the IT staff is not performing the erasure. The mobile device policy will hold the employee as liable for release of any company information from the smartphone or tablet until the erasure report is provided to the IT or help desk staff, whether that report comes from the employee or an IT technician.

If employees are concerned about requirements for erasing their smartphone or tablet and other security measures, a business may consider incentives that encourage their participation in the policy. For example, Forrester recommends that an organization may consider paying part of the monthly wireless bill, depending on the degree of use for business activities.

Fast, Robust Erasure Supports Mobile Device Security

Regardless of a device’s ownership, a company’s IT asset managers need to track the users and devices that access company data as part of a secure mobile device policy. A critical aspect of this policy is the erasure of smartphones and tablets prior to disposal, reuse or remarketing, which is a critical preventive measure for avoiding data breaches, fines and other negative repercussions.

Because it automatically provides a detailed erasure report, supports multiple device platforms, and can erase a number of devices at one time, certified data erasure is a practical choice for businesses and ITADs who want to secure data without a time consuming manual process. By conforming to technology standards and certifications, this software provides peace of mind that no data is left behind prior to resale or reassignment.