Around 190,000 mobile phones are found in the back of London’s taxis every year.
Research by ESET of 300 London taxi drivers found that the average taxi driver finds eight mobile phones in the back of their cab every year, and with 24,000 black cabs in London, this equates to 190,000 devices.
The survey also found that half of the devices found in taxis are completely unlocked, while two-thirds (68 per cent) admitted that they would have a look at the phone if they found it to be unlocked. A quarter admitted that they often hand devices into the police, while only 14 per cent would contact the owner.
Mark James, security specialist at ESET, said: “Our study shows that despite the huge publicity cyber crime receives in the media today, consumers still do not see themselves as a real target. This is naïve and wrong. Cyber criminals are well aware of the fact that our mobiles contain connections to corporate networks and sensitive information and they will take advantage of this.
“Consumers should as an absolute minimum use a password to protect their device in case it is ever lost, however a good security posture would include encryption and a remote wipe facility. While our study has proven just how honest taxi drivers are, sadly not everyone who finds a phone will take the same approach. I imagine the majority of people who find a phone will actually have a look around and see if there is anything of any interest or value to be found.”
Rowenna Fielding, information governance manager at the Alzheimer’s Society, told IT Security Guru that a recent risk assessment highlighted that it doesn’t occur to the average individual that data on phones could be monetised and misused, unless it is pointed out to them.
She said: “Those of us in the business have to think like the ‘bad guys’ in order to protect against them, perhaps sometimes we forget that this is a specific mindset which is not shared by the population at large.
“It may be that some organisations have conducted a cost/benefit analysis and decided that the time, effort and expense of enforcing locking of phones actually outweighs the risk of data loss or exposure from lost or stolen phones. This may have been an acceptable trade-off for older ‘dumbphones’ which have limited data storage, no apps, no enterprise management tools and clunky interfaces, but smartphones introduce a whole new level of risk and any organisation that hasn’t updated their risk assessment to incorporate new technology may be in for a nasty surprise one day.”
In the risk assessment, Rowenna said that she and colleagues were balancing the need to protect information on phones by locking the keypad, against the need for staff to be able to quickly access the lone workers monitoring system, which uses a keypad shortcut to operate.
She said: “We came to the conclusion that the phones should have an automatic keyguard lock on a timeout which requires a PIN to unlock: the risk to the organisation and the people we support from exposure of the data on lost or stolen phones was greater than the risk to staff who may need lone working support in a hurry, since locked phones could still be used to call the emergency services if needed. A lot of work involved in securing a small lump of plastic and metal!”
Jon Baines, chair of the National Association of Data Protection Officers (NADPO) said that if these figures are correct, it shows an extraordinarily lax approach to de
vice security by a huge number of people.
“It’s not difficult to implement basic lockdown and encryption measures which would defeat most attempts to access private information on phones,” he said.
“If some of these unlocked devices are used for business purposes, then serious data protection concerns are raised. The law requires companies who handle personal data to have appropriate security measures in place to safeguard the data against loss. Failure to do so exposes those companies to enforcement action. Last year a sole trader was given a £5,000 penalty by the Information Commissioner after an unencrypted laptop was stolen from his car while he was sitting in traffic, and I could easily imagine similar, or larger, penalties being handed to firms who lose unsecure mobile phones.”
Asked if the case was employees not really caring about corporate devices, Fielding said that some organisations deduct the cost of a lost device from the worker’s salary to encourage more care of company mobiles, but that may soak up just as much expense in the effort of administration as the hardware was worth in the first place.
She recommended a layered approach to mitigate the risk from lost devices, including: user communications; policy, police and process; and the use of technology such as mobile device management.
James said: “What people need to start asking themselves is – could any of the data held on my mobile compromise me personally or professionally if it fell into the wrong hands? If the answer is yes, which I expect it will be, then security on your mobile device must be a priority, not an afterthought.”
