RISKY MOBILE BUSINESS. A Study of Mobile Users Views on Data Privacy and Security

Transcription

1

2 Contents 2 Introduction 3 Consumer Survey: Methodology & Objectives 4 Consumer Survey: Results & Discussion 5 Mobile Users Frequently Connect to Insecure Networks & Create/Review Content 5 Although Mobile Enhances Customer Experiences, It Still Breeds Insecurities About Safe Mobile Shopping Financial Information and Photos/Videos Rank High on List of Vulnerable Data Types 6 8 Failure to Regularly Monitor Mobile Data is Risky Business 9 While Mobile Users Acknowledge Importance of Mobile Security, They Don t Take the Right Precautions A Reduction in Smartphone Theft Doesn t Automatically Reduce Security Risks Cyber Security Isn t Handled With Same Level of Concern as Physical Security Tangible Proof of Data Removal Is Key to Adoption of Data Wiping Software Mobile Users Willingly Open Wallets to Protect Personal Data and Privacy Final Thoughts & Recommendations 16 Conclusion 17 About Blancco Technology Group 18 Contact Us 18

3 Introduction 3 Mobile devices are a critical part of society today; they make up a key component of business infrastructures and they act as a critical data producing and storing tool for consumers. As a result, vast amounts of corporate, customer and employee data that were previously held on servers and laptops are now created, accessed, stored and shared on smartphones and tablets. Consumer privacy concerns can oftentimes influence and shape when and how a company makes a move into the mobile space. Worst of all, customers failure to secure their personal data can sometimes create a nightmare for companies. As a result, some organizations have tried to find a remedy to this problem by bolting on extra security measures onto their customers, such as banks requiring specific connectivity apps or 2FA. it. However, this doesn t negate the high level of fear and anxiety consumers have about the safety of their personal information. These insecurities, in turn, make it difficult for companies to scale their business (and the products being marketed to consumers) for long-term adoption and sales growth. Also, we cannot talk about mobile without acknowledging the delicate balance companies must strike between personalization and privacy. Nearly every product you can think of today is smart and connects to users smartphones and tablets. These smart things digest and analyze enormous amounts and types of data about our behavioral patterns and usage tendencies and use that data to make the user experience feel as personalized and relevant as possible. Users don t just expect this personalization; they demand

4 Consumer Survey: Methodology & Objectives 4 Survey Overview JUN United States Australia 1,400 consumers years old JUN United Kingdom Canada Owning at least one mobile device We surveyed over 1,400 consumers in the United States, Canada, United Kingdom and Australia to understand their mobile security fears, frequency of data theft, types of data considered to be most vulnerable and the preventative measures used (or lack thereof) to protect their personal information. The survey was fielded from June 5, 2015 through June 11, 2015 and the respondents are comprised of consumers, aged years old, who own at least one mobile device (smartphone or tablet).

5 5 Mobile Users Frequently Connect to Insecure Networks & Create/Review Content Which one of the following work-related activities are you most likely to do exclusively from your mobile device? 5% 16% 32% Simple communications ( ) 18% Access public WiFi networks 4% Creating content 7% Reviewing content Download nonwork-related apps Voice/ video calls 2% 16% Access company intranet Other Most consumers today use their mobile devices for a multitude of personal and work-related activities. So in one minute, they could be sending a text message to a friend or family member, and minutes later, they could be downloading a sales presentation or RFP from their work account. This ability to stay always on is often perceived as a boon to corporate productivity and employee efficiency. But it s also a major source of concern because of how easily data can be accessed, recovered and stolen from mobile devices, especially when employees use their personal mobile devices for personal and work-related activities. As our study found, 18 percent of the respondents connect to public WiFi networks from their mobile devices. Another 11 percent create and review content exclusively from their smartphones and tablets. Together, these findings point to a lack of awareness about the ease with which data can be hacked through insecure networks, as well as how businesses need to tightly monitor exactly how and where employees are accessing, storing and sharing corporate data on their mobile devices whether they re at home, at work or on-the-go. It s important for both consumers and businesses to take an active interest in learning about the different methods of removing data that exist. It s also critical to establish a robust set of data security processes and practices internally, inclusive of auditing the existing technology solutions in place and purchasing the necessary new ones that will protect corporate and customer data adequately.

6 6 Although Mobile Enhances Customer Experiences, It Still Breeds Insecurities About Safe Mobile Shopping How comfortable do you feel about the level of security on your mobile device? 28% 33% 23% 10% 7% Feel completely safe using mobile device for all activities Somewhat confident, but don t feel safe shopping from mobile device Hesitant to link credit cards to mobile apps General cyber security issues worry me constantly Not concerned at all Note: Figures may not add to 100 due to rounding. Every day, there is news of another retailer, financial institution, healthcare provider or even government agency getting hacked. During the 2014 U.S. holiday season, Target became the target of a massive cyber attack that compromised at least some of the personal information of 70 million customers. Beyond adding fuel to the fire and making cautious consumers even more fearful, it made several dents into the big-box retailer s earnings. On top of spending $240 million to replace customers cards, its stock price fell and it lost considerable sales as a result. This example speaks to a larger conflict that exists between consumers and businesses. For the consumers buying products and services from businesses, mobile devices allow them to do so quickly, easily and wherever they are be it in-store, online from their desktop computer/laptop or straight from their smartphone or tablet. These are benefits consumers have not only come to enjoy, but have come to expect and demand. Meanwhile, businesses are leveraging digital channels and big data to deliver a seamless, crosschannel customer experience that is as personalized and relevant to their needs as possible. In doing so, they are reaping the benefits through increased customer loyalty and omnichannel sales. Now consider what we found in our study: 33 percent of respondents said they feel somewhat confident, but don t feel safe shopping from their mobile devices. Another 23 percent of the respondents are hesitant to link their credit cards to mobile apps. While customers for the most part enjoy the benefits of mobile connectivity, they are also conflicted with how safe mobile shopping truly is.

7 7 Although Mobile Enhances Customer Experiences, It Still Breeds Insecurities About Safe Mobile Shopping So what can businesses do to alleviate this consumer conflict of wanting improved customer experiences and data privacy? To start, they should include data privacy into the initial development stages of all digital and mobile initiatives. So when it s time to launch a new ecommerce/mcommerce site/app, add new features into the mobile experience and deploy massive cross-channel advertising campaigns, data privacy must be embedded into the initial development and production stage, rather than tacking it on afterthe-fact or compartmentalizing it into a separate category. 577 Breaches 155 Million Records Exposed Source: Identity Theft Resource Center (ITRC) Now consider the thriving sharing economy that s seeing the likes of Uber and Airbnb gain in popularity with consumers around the world. These shared service providers simplify the entire user experience and automate it in such a way that users credit cards are linked directly to the apps. And this strategy has clearly been paying off investment bank Piper Jaffray says Airbnb enabled about 40 million room nights in 2014 and estimates that it could reach 1.5 million listings in But something is still missing and could jeopardize their user adoption and growth rates drastically. These shared service providers and other businesses should have a built-in security feature that completely and permanently erases all personal information including names, phone numbers, addresses and credit card numbers when users stop using them. Users should then receive a verification report within their accounts confirming all of their personal information has been properly and completely removed. To customers, this would offer the dual benefits of an improved customer experience and an absolute guarantee that their personal information and sensitive data won t be compromised. It then becomes a point of differentiation for these already-successful businesses and could catapult them to the next level and help them cement customer loyalty, boost adoption and grow sales consistently. Given the Identity Theft Resource Center (ITRC) reports a total of 577 data breaches were recorded through Q and more than 155 million records have been exposed, making this change could have a huge impact on Airbnb, Uber and other businesses.

8 8 Financial Information and Photos/Videos Rank High on List of Vulnerable Data Types Which one of the following types of information are you most fearful of being accessed without your consent? $ 6% 4% 3% 52% Financial information 19% Usernames & passwords 11% Photos & videos Government ID numbers addresses Medical records 3% 1% 1% Home addresses & phone numbers Insurance Birth dates Fear is a powerful motivator. It can even dictate how and where consumers use their mobile devices. And for a vast majority of consumers in the US, Canada, UK and Australia, that fear is a daily reality. In fact, over half (52 percent) of respondents are most fearful of having their financial information accessed without their consent. Additionally, 11 percent of respondents are afraid of having their photos and videos leaked. Many banking institutions are now investing more money into tightening their security controls. JP Morgan Chase, for example, has already increased the number of security professionals to 1,000 and has strictly limited privileged user access. While the financial giant already spends $250 million per year on digital security, it s also pledged to double that spending over the next year. Because most people and even companies don t have a full grasp of the difference between a factory reset and proper data erasure, the likelihood of a data breach can increase significantly. And as we have seen in the last year, Android devices are particularly vulnerable to data leaks be it from a camera app, leaked location data over Wi- Fi or faulty factory reset. The problem with factory reset on certain mobile operating systems is that it only removes pointers to the data, while leaving the data itself intact. So the deleted data that s left on mobile devices as well as external SD cards can quickly and easily be recovered using readily available software.

9 9 Failure to Regularly Monitor Mobile Data Is Risky Business When is the last time that your mobile data and personal information were accessed without your consent? 42% 29% 7% 9% 6% 7% Within last 1-3 months Between 4-6 months Between 7-12 months Over a year ago Never I don t know Over one-quarter (29 percent) of respondents admitted that they don t know the last time their mobile data and personal information were accessed without their consent. This could be occurring for a number of reasons. Perhaps they just don t know how and where to monitor their data. It could be that they just don t feel it s their responsibility to do so, or are counting on businesses to do so for them. No matter what the reason may be, this unawareness increases the likelihood of mobile data breaches. Our IT Security Consultant Paul Henry believes it s not an either/or scenario when it comes to responsibility for monitoring data security. It s the responsibility of the original user or owner to properly sanitize their equipment before it s traded in, resold, donated or discarded. If individuals simply rely on others to take care of protecting their data, that s just irresponsible. Similarly, if businesses take a lax approach or don t monitor how, when and where all of the data from their equipment is removed before it s discarded, reused or recycled and if they fail to obtain actual verification that all data has been removed permanently, it s just as irresponsible and can cause serious financial, legal and reputational damage.

10 10 While Mobile Users Acknowledge Importance of Mobile Security, They Don t Take the Right Precautions Which one of the following do you believe is the most effective and trustworthy way to protect mobile data and personal information? 14% 14% 13% 11% 7% 12% Delete sensitive files and folders 13% Lock device with passcode Use encryption security features Back up data to computer or online Install and maintain antitheft software Install an antivirus app Apply factory reset 5% 4% 4% 2% 1% Install software to permanently erase data Reformat hard drive Turn off location tracking feature Clear search/ browsing history Install software to find phone We ve all heard the saying: What you don t know can t hurt you. In the case of mobile security, that is far from true. To better understand this, let s look at some of the figures from our study. First, 25 percent of respondents believe deleting sensitive files/folders and locking devices with a passcode will safeguard their mobile data and personal information. Meanwhile, another 7 percent feel comfortable enough with simply applying a factory reset. Unfortunately, many users as well as enterprise businesses mistakenly assume that manually deleting data or performing a factory reset will wipe a mobile device clean and eliminate any potential security threats. But that s just not true. A factory reset only removes pointers to the data, but it doesn t actually erase the data forever. To make matters worse, most people are naïve about just how easy it is to recover data. All you need is software which can be purchased online for as low as $80. That s where it s important to have the right technology solutions/software to permanently destroy old data and current sensitive data in a matter of minutes.

11 11 A Reduction in Smartphone Theft Doesn t Automatically Reduce Security Risks Mobile theft 40% Mobile theft 22% Mobile theft 16% London San Francisco New York Earlier this year, city officials announced that smartphone thefts have declined drastically in three cities 40 percent in London, 22 percent in San Francisco and 16 percent in New York. 13% Yes Has your mobile device been lost or stolen in the last 12 months? 87% No It s interesting to note that only 13 percent of respondents reported having their mobile device lost or stolen in the last 12 months. The reduction of smartphone theft is, indeed, good news. This reduction in smartphone theft could be occurring for a number of reasons. It could be related to the fact that some smartphone manufacturers have begun installing software-based kill switches that allow the phones to be turned off remotely if they re stolen. It could also be attributed to the fact that consumers are being more careful about holding onto their devices and paying closer attention to how they handle them. Whatever the case may be, it doesn t automatically equate to less risk of mobile data loss/theft. Once a mobile device is out of sight be it from accidental misplacement or intentional theft it poses an imminent threat to your privacy and security. But that threat multiplies exponentially when people and businesses fail to educate themselves about the most effective and trustworthy ways to prevent mobile data and personal information from resurfacing.

12 12 Cyber Security Isn t Handled With Same Level of Concern as Physical Security If your mobile device is lost or stolen, what is the very first action you are most likely to take to protect your device and personal data? 18% 16% 8% 21% Disable device through mobile carrier & buy replacement 19% Use GPS to locate device 7% Activate data erasure software to remotely wipe sensitive information Report loss or theft to mobile carrier Activate antitheft software to remotely lock device Change usernames and passwords 4% 4% 3% Unlink credit cards from mobile apps Report theft to police Other When we asked respondents to confirm the very first action they are most likely to take to protect personal data when their device is lost or stolen, 19 percent said they would use GPS to locate their device and 21 percent would immediately disable the device through their mobile carrier and buy a replacement. In stark contrast, only 7 percent reported that they would activate data erasure software to remotely wipe sensitive information. These findings point to just how dependent consumers are on their mobile devices and how focused they tend to be on the here and now. Rather than make sure all personal information and corporate data are wiped clean when these devices are lost or stolen, our study indicates that users are more inclined to spend their time locating the device, taking steps to purchase a new one and changing their usernames and passwords.

13 13 Cyber Security Isn t Handled With Same Level of Concern as Physical Security This also points to a larger problem within society. We re taught from a very early age to avoid dangerous individuals and crime, and we re also shown how to protect ourselves should we be faced with such a threat. But there is little to no education about the differing types of cyber crime that exist, the common causes of such crimes and the ways individuals and businesses can protect their data from being accessed and stolen. This is supported by what we found in our study only 4 percent of the respondents said they would report their smartphone theft to police. Cyber crime and physical crime are equally dangerous and until we as a society begin to view them both in the same light, it will be difficult to reduce cyber crime in the long run. This could lead to a big problem when you consider just how easy it is for data to be recovered by a third party or a cyber criminal. According to our IT Security Consultant Paul Henry, Unless the phone is fully and physically destroyed, or the data is permanently erased by overwriting the data (not just deleting ), anyone could possibly get their hands on all of the original owner s data. It s important to address another obstacle to wiping all of the data stored on mobile devices mobile device malfunctions. This happens more often than most people realize. A user might damage their phone in some way perhaps dropping it on the floor and shattering the screen and therefore, makes it impossible to see anything and renders the device unusable. Or an individual might be using an older generation of a device that s experiencing issues, but thinks it s easier to just replace it with a new one than send it in for repairs. So that old phone is either traded in with their mobile carrier or device manufacturer, or it s just tossed into a drawer or the garbage where anyone could get their hands on it. Paul Henry IT Security Consultant, Blancco Technology Group

14 14 Tangible Proof of Data Removal is Key to Adoption of Data Wiping Software How important is it to receive a tamper-proof certificate ( ed PDF or online portal) displaying all data that has been erased from your device? 35% 35% 21% It would 100% affect my purchase decision It would be a contributing factor in my overall purchase decision It would be a nice perk/ bonus 9% It wouldn t affect my purchase decision at all A key consideration in complying with data protection laws is being able to provide certificates of proof and a physical audit trail that all data has been managed and removed properly. Without proof, it s a matter of taking someone s word for it. As our study found, that s just not good enough. Receiving a tamper-proof certificate displaying all data that s been erased from mobile devices would 100 percent affect the purchase decision of 35 percent of respondents. Plus, it would be a contributing factor in the overall purchase decision of another 35 percent of respondents. Both individuals and businesses need to think about it in the same way they file their taxes. You have to provide proof of everything and the same goes for data management/removal practices. In 2015 alone, there have been several monumental rulings that will change the data privacy landscape forever. In September 2015, the US Court of Appeals ruled that the FTC mandate to protect consumers against fraudulent, deceptive and unfair business practices would also extend to oversight of corporate cyber security practices and failures to comply. Meanwhile, the General Data Protection Regulation has been the subject of debate in Europe for a while now. Expected to be finalized in December 2015, the European Commission, the European Parliament and the European Council have proposed a tiered system for imposing legal fines of up to 2-5 percent of an organization s annual turnover, or 100 million. Much in the same way that law enforcement and national security/intelligence agencies are necessary tools in maintaining law and order in society, legislation plays a similar role in data protection. Without data protection legislation, there is no accountability placed on individuals and businesses for responsibly managing corporate and customer data. Without the threat of real consequences lawsuits, legal fines and reputational damage mayhem will ensue.

15 15 Mobile Users Willingly Open Wallets to Protect Personal Data & Privacy How much money would you be willing to spend on a mobile data wiping solution? 50% 19% 13% 9% 5% 5% $20 $29.99 USD $30 $39.99 USD $40 $49.99 USD $50 $59.99 USD $60 USD or more $10 $19.99 USD Note: Figures may not add to 100 due to rounding. How likely are you to purchase a technology solution that could wipe sensitive data from your mobile device permanently? 21% 29% 31% 20% Very likely Likely Somewhat likely Not likely Note: Figures may not add to 100 due to rounding. When you combine consumers security fears with their extreme reliance on mobile devices, it makes sense that they would be willing to spend money on software that could wipe sensitive information from their mobile devices permanently. In fact, 89 percent of respondents expressed an interest in purchasing a technology solution that could wipe sensitive data from their mobile device permanently. And as our research also found, consumers are more than willing to spend a considerable amount of money on alleviating their data privacy doubts.

16 Final Thoughts & Recommendations 16 Certified Mobile Data Erasure Is the Best Defense While mobile device management (MDM) solutions typically offer security measures such as a firewall, encryption and virtual private network (VPN) support, their data deletion capabilities are limited to remote wipe. While remote wipe might sound like a fail-safe plan, it s not. As researchers from Cambridge University recently discovered, the factory reset on Android devices are faulty and reversible. In fact, it s estimated that as many as 500 to 630 million Android devices might not be capable of completely wiping the data saved in their internal disks and SD cards. That means data can still be recovered. Without a USB connection to a computer running erasure software, which can detect all areas of the memory and initiate a full overwriting of the data, it is still possible to recover data. What organizations need, then, is an enterprise-class, certified mobile data erasure solution that truly protects their mission-critical data and mitigates the risk of data exposure. Look for a solution from a trusted provider that adheres to overwriting standards such as HMG Infosec and DoD M. The solution should also be approved as effective for sanitizing devices by internationally recognized testing agencies such as TÜV SÜD and DIPCOG. Data Overwriting Methods By Device Operating System Apple ios: Because iphone and ipad devices are encrypted by default, they do not require overwriting of all user data areas. However, the encryption key must be overwritten to make user data unreadable and the firmware should be updated. Android: Android devices require overwriting of user data areas. A simple factory reset or reformat is not 100 percent secure and leaves data exposed and easily recoverable after a reset. Blackberry: Blackberry devices require the overwriting of user data areas and the removal of their IT policies. Windows Mobile: Microsoft devices require overwriting of user data areas. A simple factory reset or reformat is not 100 percent secure and leaves data exposed and easily recoverable after a reset. Nokia Symbian: Nokia devices require overwriting of user data areas. A simple factory reset or reformat is not 100 percent secure and leaves data exposed and easily recoverable after a reset.

17 Conclusion 17 Whether it s due to lax internal mobile device management policies and controls, failure to properly erase data from mobile devices prior to reuse or resale, the absence of a defined BYOD program, or a malicious attack by cyber thieves, no person or business is exempt from data breaches. Take, for example, what happened when a hack exposed the names, addresses and social security numbers of 15 million T-Mobile customers who submitted credit applications to Experian from September 1, 2013 to September 16, The implications of data breaches are far-reaching and can include lost customers, lost sales, lawsuits from consumers along with severe legal penalties by governing bodies. Therefore, consumers and businesses must look at mobile security beyond the scope of the devices themselves and approach it from the perspective of information management across the entire lifecycle from creation to transfer to storage to deletion to certification. All groups will reap several benefits from shifting to this new mindset. First, it will allow companies to maintain and prove legal compliance to their customers, while allowing government and enforcement agencies to tighten the grip on data protection regulation. Second, it will bring down costs incurred by organizations for recycling hardware (and even reduce the need for additional hardware). Finally, it will positively impact the environment by reducing the carbon footprint. When it comes to the data deletion process itself, thinking about the full cycle from creation to transfer to storage to deletion to certification is critically important.

18 About Blancco Technology Group 18 Blancco Technology Group is a leading, global provider of mobile device diagnostics and secure data erasure solutions. We help our clients customers test, diagnose, repair and repurpose IT devices with the most proven and certified software. Our clientele consists of equipment manufacturers, mobile network operators, retailers, financial institutions, healthcare providers and government organizations worldwide. The company is headquartered in Alpharetta, GA, United States, with a distributed workforce and customer base across the globe. SmartChk by xcaliber Technologies, a division of Blancco Technology Group, is a global innovator in mobile asset diagnostics and business intelligence. We partner with our customers to improve their customers experience by providing seamless solutions to test, diagnose and repair mobile assets. SmartChk (or Xcaliber Technologies) provides world-class support, pre and post implementation, allowing our customers to derive measurable business results. Contact Us Blancco, a division of Blancco Technology Group, is the global de facto standard in certified data erasure. We provide thousands of organizations with an absolute line of defense against costly security breaches, as well as verification of regulatory compliance through a 100% tamper-proof audit trail. For Sales & Marketing, Please Contact: marketing@blancco.com For Corporate Communications & PR, Please Contact: press@blanccotechgroup.com