How to avoid leaving your business wide open to mobile security breaches

As mobile technology become ever more sophisticated, losing a phone or tablet or failing to erase data from an old device, can have long lasting and far reaching consequences – including damage to corporate reputations and hefty fines.

Julie, operations director for data destruction expert Advanced Digital Dynamics, believes our fascination with mobile technology needs to be tempered with a greater awareness of data destruction issues before signing up for the next upgrade.

“When Nick Robinson, the BBC’s political editor, lost his mobile phone at a football match,
Downing Street quite rightly treated the loss as a ‘serious security breach’ because it contained personal contact details of senior politicians,” explains Julie.

“The biggest mistake we make is that we look upon smart phones simply as a telephone when in fact they are small computers and should be handled as such. Then add in the fact that most people don’t understand that names, email addresses and telephone numbers are personal data and you have a recipe for disaster if that data is stolen, goes missing or isn’t destroyed properly.

“Most people don’t realise that so much data is stored on a mobile device and that just running the factory reset doesn’t erase data from Secure Digital (SD) cards. Data can only be destroyed fully by using specialist software approved by the government’s own information security arm. It’s not simply a question of deleting all your contacts and text messages as accounts that are set up for synchronisation and websites you’ve visited will leave a digital footprint. At ADD we use military grade software to wipe data from all hardware, including phones and tablets.”

As increasing numbers of employees can access work emails on mobile phones, employers need robust policies covering the security of both organisation-owned devices and private ones where the user wants access to their work email and calendar.

A company which allows staff to use their own personal devices for work use should have a Bring Your Own Device (BYOD) policy in place. The Information Commissioner’s Office has a useful downloadable guide.

“If an organisation provides staff with phones or tablets for business use then I would advise them to have a remote working policy including information on the acceptable use of the device. A mobile phone or tablet is more personal than an office computer and even when they are owned by the organisation, the user will always be the administrator. Therefore it is critical that he or she is fully aware of potential security risks – and most people are just not aware until a loss or theft occurs,” adds Julie.

“If you have a consultant working in your office for a few months, you would only give them access to certain areas of your IT network to do their job – yet they could have access to personal details of all your customers on their smart phone. You probably also stipulate whether or not employees can take company documentation home. However, it is quite likely that your employees’ personal smart phones or tablets have full access to work data without the usual security features in place. And even for the devices the business owns, can you really be sure that they are not breaching your security policies on a daily basis without you even realising it?”

Julie advises employers and staff to follow some simple steps to minimise the risks of mobile security breaches:

• Phones and tablets have the facility to set a security password so use it. However, don’t use the same password for everything – and put a password on the SIM, not just on the device itself
• Back up your data regularly, so that if you do lose your mobile device, you haven’t lost all your data
• Be aware of how much information can be gleaned from just plugging a smartphone into a PC – everything from web addresses to text message conversations and tweets are saved
• Don’t forget there are different places on a mobile device to save and therefore to destroy data. You may use an SD card for your media, but you may also unwittingly save data to the internal memory as well – both will need checking to ensure data is removed
• Erasing images: many mobile devices use a folder called DCIM for photos. And if you use both the camera app and a third party app there may be a separate folder for this 3rd party app – you need to ensure that images are removed from both

• You can run the factory reset on the phone to erase everything on your phone, but remember to also clear the SD card. For ‘belt and braces’ security then invest in specialist wiping software to ensure that no data can be retrieved
• Make sure you transfer any data you wish to keep onto a PC or other device

ADD Ltd provides independent business IT solutions in hardware and software, as well as safe onsite data destruction, lifecycle asset management and disaster recovery. Clients comprise small to medium sized businesses as well as global blue chip companies, NHS Trusts, local authorities and police forces throughout the UK.