Data breaches are damaging enough to make any organisation become a scrooge over the festive period, especially given that IBM estimates the average data breach costs a company $4 million. With this in mind, it’s hard to imagine any business being able to embrace the holiday spirit if they’ve fallen victim to a breach in the latter part of the year. So it’s crucial that IT departments - big and small – are ready to defend their systems against anything that could possibly result in data loss.
With the growing popularity of BYOD, one of the most overlooked security risks that could dramatically affect both organisations and consumers is leftover data on exchanged smartphones. Black Friday and Cyber Monday are now behind us, but the Christmas shopping season is still in full swing. And 45 per cent of mobile users intend to purchase a new device during the holiday season.
Many of these users are also apt to trade in their old devices on Amazon, eBay, Best Buy and the like with very little concern given to the contents of the old phone they’ll be turning in.
To support this point, a recent Deloitte holiday study found that while 3 in 4 shoppers claim they are concerned about data privacy, yet data privacy issues have very little impact on their holiday shopping. We’re all horrified by the big data breaches that flooded the news this year – from Ashley Madison to Yahoo, to TalkTalk. But many consumers are unaware of how damaging it could be to fail to erase the data from their old devices.
It is very hard to blame the general populace for this, as a lack of education on the matter means that most people just don’t know the difference between secure data removal methods and methods that aren’t secure and leave data exposed and accessible.
To put some numbers behind these statements, I recently looked into what types of data could be recovered from used hard disk and solid state drives purchased randomly on eBay and Craigslist.
Shockingly, 67 per cent of the used drives contained personally identifiable information and 11 percent held sensitive corporate data, including company emails, CRM records and spreadsheets containing sales projections and product inventories. That’s certainly not the type of information that any company or individual wants to see falling into the wrong hands.
As mentioned previously, levels of awareness about reliable methods of data removal are relatively low. And it can be hard for your everyday user to know where to go to find accurate information about what data eraser tools to use when it’s time to wipe old data.
A lot of the time, users will revert to a simple factory reset before disposing of their old technology, believing that this is the most they can do to protect their data. However, factory resets only remove pointers to the data, leaving the information intact and easily recoverable with freely available tools. To use an analogy, it’s the equivalent of ripping out a book’s table of contents page, but leaving the rest of the pages intact for anybody to read.
Many users will trade in their own phone, relying on the “middle man” to deal with their data removal before their device gets resold. But there’s no guarantee that retailers, mobile network operators and device manufacturers that offer trade-in schemes will implement secure data erasure on the consumer’s behalf. Truth be told, most don’t and the ones that do aren’t necessarily the ones you would think.
For example, in the UK, H&T Pawnbrokers have committed to running a full diagnostics check and permanently erasing data from every device they buy back and ultimately resell. They even provide original owners with a tamper-proof certificate that this has taken place. That’s to their credit and is head and shoulders above the commitment made by countless other household names. So in an ideal world, individuals should really understand the importance of proper data deletion.
With the proliferation of BYOD in the modern workplace, there is a high likelihood that devices traded in this holiday season will have been used at some point to access and store sensitive corporate data. Therefore, mitigating this threat is something IT and security teams need to be taking an active interest in. Rather than taking an authoritarian approach and dictating what staff can and can’t do with their personal mobile devices, companies should encourage collaboration from their employees by proactively raising awareness of the issues associated with insecure mobile disposal.
They should also provide educational tips and tools, and even better, offer to erase employees’ mobile devices for them (with secure data eraser software). It’s certainly something most employees would be open to. An overwhelming 95 percent of users would be likely to some degree to accept their employer’s help with permanently erasing data before reselling or trading in their old smartphones.
The life of electronic devices beyond the original owner is one of the more invisible dangers associated with BYOD in the workplace, and data breaches at large. IT and security departments know it’s an issue, but the majority of organisations haven’t formally acknowledged its presence.
Employees trading in old phones this holiday season are the tinsel-strewn elephant in the room. The multitude of high profile data breaches surfacing in the news this year should be more than enough reason to raise this as a high level security threat, which receives adequate buy-in from members of the C-suite.
Richard Stiennon, chief strategy officer of Blancco Technology Group
Image source: Shutterstock/alexskopje