RSAC 2012: Lost or unclaimed devices pose risk to corporate data

After a long week of meetings and tradeshow fun, it’s time to catch-up on missed emails and sort the vast amount of business cards that were collected during the 2012 RSA Conference. Still, some of those who were in California for RSA are scrambling this week, because they left something behind.

One of our meetings last week was with Credant Technologies, a vendor that specializes in data protection. Part of our discussion centered on the risk posed by lost mobile devices, which is anything from USB drives, to laptops and tablets filled with company data. At the time of our meeting with them, Credant had just released the results of a study they did with the hotels serving the conference. Naturally, after reading their research I was reminded of my own security incident involving a lost device in 2011.

[For the curious, the recap of my personal failure is here.]

Focusing on major hotel chains in San Francisco, such as the Four Seasons, Hilton, Holiday Inn, Marriott, and Ritz Carlton, Credant learned that some 2,300 mobile devices are unlikely to make the trip back from the world’s largest security conference this year.

One Union Square hotel chain reported that more than 90-percent of the devices discovered in guest rooms, the bar, or lobby are never claimed. On average, the number of unclaimed devices hit about 45-percent.

Interestingly enough, more than 70-percent of the lost devices are last seen in the Union Square and Financial District area (were many of the common RSA-related hotels are located).

“Protecting data on mobile devices eliminates the long term consequences potentially associated with lost or stolen devices,” said Darren Shimkus, the senior vice president of marketing for Credant.

But another point not mentioned by the survey is that while most of the device owners never reclaim their lost items, it’s possible that someone else can.

It isn’t hard to get a hotel employee to check the lost and found for items with little more than a basic description. For example, more often than not, asking for a known brand or basic description is enough to get them to check and hand something over.

Exploiting the human desire to help is one of the fundamental basics to social engineering. Hotel staffers are trained to assist guests and potential guests. Thus, they’re eager to please, and if the back story is sound enough, a stranger could easily claim those lost devices for you.

Like this article? Please share on Facebook and give The Tech Herald a Like too!