Its great having access to corporate email while my mobile device is offline. If I’m on a plane, or if network access doesn’t work in a particular area, I can still read and reply to my email. But offline access, which is provided via a local database of downloaded email on my phone, can have its risks. If my phone is lost or stolen, all of my email history (whatever period downloaded , Apple Mail defaults to one month) is exposed via this local email.
To reduce this risk, many MDMs offer the ability to wipe lost or stolen mobile phones. But if the phone becomes disconnected from the Internet there is no way to wipe the phone. In addition, due to slow reporting, the phone may not be wiped for 24-48 hours after the phone is lost. This is the risky period during which the thief can scan the phone for sensitive information.
Symantec’s HoneyStick project simulated people losing their phones to see what people would do when they found a phone. The research found that there was an average time of only 10.2 hours after the phone was “lost” before an access attempt was made. This means that lost phones have to be reported and wiped very quickly to avoid potential data exposure. Because many people don’t actually realize that they have lost their phone for 12 to 24 hours (they continue looking thinking that it must be at work or at home) this makes it very difficult to wipe the phone before exposure.
Another finding of the research was that attempts to access a corporate email client occurred on 45 percent of the devices. This re-confirms that email is one of the highest risk areas.
TITUS Mail has a number of policies which can be used to secure corporate email. Among the many policies provided by TITUS Mail, the geofencing policy was highlighted in a previous blog.
Have other ideas on how to make mobile email safer? We’d love to hear from you.