In this era of genius hackers and malware that can bring an entire corporation to its knees, the scariest threat to mobile security is. the users themselves.
Software developers generally have done a good job keeping evil-doers at bay, according to a study of 789 users released earlier this year by In-Stat. While banks, hospitals and a host of other industries struggle to deal with online hackers, the world of wireless communications is about as secure as its fixed-line counterpart, In-Stat found.
Operator error
It’s the users who are the problem, according to the market research firm. Smartphone users-who, presumably, have more sensitive information on their handsets than feature-phone users-are 40% more likely to lose their devices. Many refuse to accept even the most basic security policies, and information-technology departments are often all too willing to allow users to determine the content and applications they use on their phones.
In-Stat’s findings were echoed in an August report from Cisco and the National Cyber Security Alliance. The study of more than 700 employees in seven countries indicated that 73% of mobile users said they were not always aware of security threats and best practices when working on the go, and more than one-fourth admitted they “hardly ever” consider security risks and “proper behavior.”
“Businesses are increasingly entrusting more and more employees with access to corporate information anywhere outside of the office, and this doesn’t need to be a growing concern-not if the proper security technology and I.T.-user engagement model is in place,” said Ben Gibson, director of Cisco’s wireless and mobility solutions. “After all, embracing mobility and truly leveraging the power it gives businesses-agility, access, responsiveness, efficiency-requires protecting and educating employees to prevent them from undermining this value. This is a role I.T. can and should play more proactively than they traditionally have in the past.”
Owning the device
InsightExpress conducted the study, which was commissioned in part by Cisco-which, of course, peddles mobile security solutions. But Bill Hughes, principal analyst for In Stat’s wireless research group, agreed with Gibson’s sentiments, noting that employees not only are often unaware of existing security features, many are unwilling to use the ones they know about. Even simple safeguards such as passwords go unused too often, Hughes said, and users rarely take appropriate measures-like calling their I.T. departments-when their devices are at risk.
“Only half the devices used for business are paid for by the company,” Hughes said, making the mobile phone unlike almost any other piece of equipment in the enterprise. While about one-fourth of U.S. businesses are taking more control of their mobile communications, nearly as many are moving the other direction.
“It’s a very volatile decision-making process; a lot of companies are deciding to move this expense more toward the employer,” he explained. “I just can’t-it would be hard to take a business professor who came off an island after 10 years and try to explain to them why this expense is treated so dramatically different than any other business expense.”
Companies that allow their employees that kind of leeway will only become more vulnerable as hackers begin to focus more on handheld devices. Nasty viruses and worms aren’t much of a danger in these early days of mobile data, despite Chicken Little-style press releases from anti-malware developers. But the risks of using a smartphone will only increase as those devices continue to expand beyond high-end executives and into the mainstream.
Boom for security vendors
That trend will result in a boom in the mobile device management space, according to new figures from Frost & Sullivan. The firm recently predicted anti-malware vendors worldwide will ring up nearly $2.2 billion in sales in 2014, more than tripling this year’s revenues.
“Mobile phones are becoming ever more sophisticated; smartphone usage is rising, while advanced capabilities such as MMS, Bluetooth and Internet access are increasingly becoming standard features in phones,” said Frost & Sullivan analyst Katie Gotzen. “However, few people realize that it is these extra capabilities that make mobile malware attacks possible.”
I.T. departments, of course, are often loath to embrace new technologies for fear of losing control of their domains, so it’s likely to be employees who drive uptake of smartphones. And, as Microsoft Corp. CEO Steve Ballmer noted at CTIA Wireless I.T. & Entertainment 2007 last month, that demand is likely to lead to increased friction between employees and the techies who are charged with managing their devices.
It may take a high-profile mobile security breach to get businesses to pay attention and allocate serious resources. Indeed, businesses only began to pay attention to their online security policies after a rash of disastrous mishaps, and many companies are still struggling to find ways to keep their digital information secure.
“It’s going to happen; the only question is if there’s going to have to be some big, embarrassing case to motivate companies” to centralize their mobile communications, said In-Stat’s Hughes. “I hope to see it increase, mainly because I made it my mission in life to change that. I really want I.T. professionals or any executives to question their mobile strategies.”
