When I talk to IT managers, I almost always hear fears of mobile devices as conduits for sensitive corporate data to leave the company. I don’t know why I keep hearing this. There’s simply no evidence to support this fear. In fact, there’s solid evidence that says mobile devices are not a significant—or even moderate—risk factor.
Every year, I check the Identity Theft Resource Center’s database of personally identifying information (PII) breaches, which require disclosure by both state and federal laws. I’m sure many losses go unreported, and the database doesn’t cover corporate information not containing PII. But if mobile devices were a conduit to data loss, they should show up in this database.
Mobile-linked breaches haven’t shown up in previous years, and they didn’t show up again in 2016—despite the fact that nearly everyone these days uses a smartphone.
What does show up? Paper records, thumb drives, external hard drives, laptops, hacks into databases and storage systems, and successful phishing attempts. Many of the reported breaches involve lost papers, drives, and laptops, where a data thief probably wasn’t involved. But many involve active hacking of IT systems where data theft is the goal. And some involve insiders (contractors and ex-employees) steal data to use themselves, bring to new employers, or—least often—sell to others.
None of the lost, stolen, or compromised devices were smartphones or tablets. That’s probably because encrypted devices need not be reported; they’re presumed safe. iPhones and iPads have long encrypted their contents, and professional-grade Android devices have done that in recent years. In both cases, a simple IT policy can enforce that encryption. It doesn’t take a fancy mobile security tool; Microsoft Exchange can do the trick.
Well, there was one data breach involving a smartphone: A former hospital manager, after resigning, took patient-identifying information by forwarding certain documents such as patient lists to her personal email account.
