The mobile world now plays a far greater part in our lives than ever before. Businesses are becoming reliant on the ability to access and process data wherever they are, and smartphones are one massive driving force behind this evolution of business practices.

However, with portability comes risk. If you can access your data from anywhere, it raises the potential that someone else can. We all take steps to mitigate this risk, such as using strong passwords and limiting access to specific devices. Unfortunately, the result of using strong passwords is that users begin to rely on the 'remember password' functionality of their device. All well and good until the device goes missing.

In this post, we'll be looking at a free piece of software that you can install on Android Devices (Such as the Samsung Galaxy range, the HTC One range and many other phones and tablets) in order to regain control should a device with access to business data be lost/stolen.

Similar solutions are also available for users of iPhones and iPads, but we've not tested those!

A recently published issue with a Security Auditor has highlighted just how much potential there is for the worst to happen when information is requested by someone with a level of authority. In this particular case, the person being asked for the information had the sense to challenge the request, but it's easy to believe that many others would have simply attempted to comply.

The Security Auditor in question was insisting that the following be provided;

• A list of current user-names and plain-text passwords for all user accounts on all servers

• A list of all password changes for the past six months, again in plain-text

• A list of “every file added to the server from remote devices” in the past six months

• The public and private keys of an SSH keys

• An email sent to him every time a user changes their password, containing the plain-text password.

It should be pretty clear to most that this presents a huge security issue, but faced with a Payment Card Industry (PCI) Auditor making the request, how many would simply assume that he “must know what he's doing”?

An article published by the BBC draws attention to a potential attack vector which has enabled a team of researchers to gain 120,000 mis-directed emails within six months, including usernames, passwords, and details about corporate networks.  Is this another potential attack vector that companies should seriously consider as part of their data security, or simply a PEBKAC error?!