The bring-your-own-device (BYOD) movement has turned enterprise mobile security into a never-ending game of "Whack-a-Mole," and one serious vulnerability has been poking its head out for too long. Antivirus software provider Avast noticed that more than 80,000 used smartphones are listed for sale on eBay every single day. Their researchers decided to purchase 20 used Android phones and see what data they could retrieve using off-the-shelf recovery software.
The results were astonishing. In July, Avast reported that it had recovered more than 40,000 photos, 750 emails and text messages, 250 contact names and email addresses, four previous owners’ identities, and one completed loan application. A thousand of the recovered photos included nudity. The built-in factory reset was clearly insufficient for deleting data. A cyber criminal would have had more than enough information to stalk, blackmail, or impersonate the previous owners.
Now that most people participate in workplace BYOD -- whether their employers permit it or not -- cyber criminals have tens of thousands of opportunities to scrape sensitive corporate data from personal devices sold on marketplaces like eBay. The combination of personal and corporate data could be used to orchestrate large-scale social engineering attacks. This risk calls for IT departments to help employees establish stricter separation between their personal and professional mobile lives. Specifically, a multi-persona approach to BYOD will help keep corporate data off public marketplaces.
Cyber criminal lead generation
Mobile devices are becoming a source of identity theft and corporate data leaks because they have become a "Swiss-Army Knife" for life and business.
Consider the extent of personal and corporate data that can blend on a smartphone. On one hand, we have text messages, emails, photos, videos, and voice memos that live on the phone. On the other hand, we may have multiple apps like Dropbox and GoogleDrive that allow us to conveniently download or upload information -- sometimes with the intention of getting information onto or off corporate systems.
For instance, we often use smartphones as scanners. Tons of people take pictures of their IDs and passports for applications or scan important documents with apps like Genius Scan. Remote or mobile employees, in particular, often don’t have access to scanning or fax machines and are therefore more likely to use a mobile device for copying, signing, and sending important work-related documents.
A device that blends personal data and corporate information would be a jackpot for cyber criminals targeting enterprises. They might have enough information to create convincing phishing emails or impersonate employees, much like the hackers that hit a French multinational last year and managed to wire company money to multiple offshore bank accounts. For criminals, buying used phones on eBay could become a form of lead generation.
Multi-persona + encryption
Clearly this is not a problem that can be solved with rules and policies. A laundry list of mobile “dos and don’ts” will be summarily ignored by employees. Carrying two devices -- one personal and one professional -- is impractical and expensive for the employer. Many mobile device management (MDM) and enterprise mobility management (EMM) solutions are also detested because employers can lock and wipe devices, blacklist apps, track communications, and geolocate devices. This is why we need to begin dividing mobile devices into multiple personas at the operating system level, the deepest level possible.
We need to combine this multi-persona approach with encryption, the most effective way to protect sensitive data. Even if the factory reset is incomplete and a phone goes on eBay with leftover data, criminals would have a very difficult time accessing encrypted data. However, with a single persona smartphone (one login), employees would need to encrypt everything on the device to protect anything. Every time they want to check the weather or answer a text, they would have to plug in a long, complicated password. A multi-persona approach, with multiple personal and professional personas, would allow them to use encryption discriminately.
When an employee first purchases a smartphone, he could, for instance, create four personas: one for generic personal use, one for healthcare and finance, one for work, and one for the kid’s games. He could encrypt the healthcare/finance persona and work persona, so no matter where he leaves the device or how well he wipes it before selling, that sensitive data couldn’t be viewed. He could still check text messages with no password or a very short one.
The takeaway from the Avast study is clear: In a BYOD environment, corporate data will be exposed long after employees resell, donate, or otherwise discard their smartphones. IT can write out policies, cross its fingers, and hope that employees wipe their data using specialized programs. Or they can use a multi-persona approach to ensure that sensitive data remains encrypted throughout the device lifecycle -- and they can do this without imposing on employee privacy and personal data. Indeed, employees will likely take advantage of multiple personas to protect their identities and organize their personal data.
We don’t need to "take control" of employee devices. We don’t need to stop selling old phones on eBay. We just need BYOD solutions that correspond with the way people actually live and work.Omer Eiferman is the CEO of Cellrox and former pilot in the Israeli Air Force. He is a graduate of Bar-Ilan University with a degree in Computer Science and Statistics. Prior to Cellrox, Omer served in a variety of marketing, development and product management roles in ... View Full Bio