A question of trust: Addressing mobile security fears

Mick Ebsworth, Information Security Consulting Practice Director, Integralis

Although we now bank, shop and pay online more than ever using mobile devices, it seems that we are also increasingly concerned about security.  Integralis recently conducted a Trust Survey [1] to examine consumer attitudes to online and mobile device security and found that one in four of all respondents do not trust any company to hold their personal details securely online. 

According to the study, while nearly two-thirds (63 per cent) do trust their bank when doing financial transactions online, which is good news for the high street banks, there is much less confidence in other payment systems and websites, including online retailers, supermarkets and even credit card providers.

When it comes to mobile security, nearly half see smartphones and tablets as less secure than PCs and laptops – in fact just one in ten believe they are more secure.

Despite this, over half of smartphone users admit they do not regularly update the security settings on their mobile phone.  It seems that as consumers, we are also happy to rely on the more traditional security methods like self-set passwords as the best way to keep data secure online. 

Understanding the risks
What is also a cause for concern is that most smartphone users download and install personal apps, regardless of whether it is a personal or work device, which means that phones could be running unauthorised and unknown apps, potentially exposing both individuals and organisations to serious security risks.
 
Organisations need to focus on better educating their employees about the dangers of downloading unauthorised apps and using smartphones to access the Internet, and help them become more security conscious.
 
Protecting in the event of loss or theft
One of biggest security risks when it comes to mobile security is the loss or theft of a smartphone holding confidential personal and business data.  Before last year’s London Olympics, security firm Venafi estimated that 67,000 devices containing 214.4 terabytes of user data would be lost during the event.  This is a staggering number of devices within such a short timespan.
 
Loss and theft continues to be a huge cause for concern but, worryingly, users are not sufficiently protecting their smartphones. Many assume the device manufacturer has taken the necessary measures to protect a mobile user’s sensitive information and this includes credit/debit card details.
 
While the latest phones may offer built-in security software to enable a degree of secure web browsing, they are not 100% safe. Even users in Finland, which has a strong history in mobile technology, have a poor record for mobile security.  A 2011 report from F-Secure revealed that only 52% of Finnish end users change the native passcode or other security functionalities found in the mobile devices.
 
It is not uncommon for end users to not know how they can manage application permissions on their device. Unbeknown to them, some will often compromise their own devices. Even if the native security controls provided by the phone are being followed by the user, there is still a risk of malware.
 
Operating system matters
The type of smartphone a user owns also affects how secure their personal and business data is.  Windows 8 uses sandboxing to provide an increased level of security and is used by MDM (Mobile Device Management) providers.
 
For those that own an iPhone, iOS has a software evaluation process in the App Store but it has been exploited, and some argue it is just as vulnerable as Android if the device has been compromised.  Symbian and Blackberry have lost their market share significantly over the past three years, so are no longer perceived as interesting targets for cybercrime.
 
Mitigation measures
So what steps should we take to help build trust and confidence when using our mobile devices to go online andminimise the risk of our smartphones being hacked?
 
Firstly, users should deploy the native security controls within the phone, including changing the default PIN and setting up passcodes. The most effective way to maintain security is to also back up your device regularly using robust software from reliable, trusted brands.
 
If you own an Android device, download anti-virus for extra precaution. Write down a list of your devices and inform officials/operators in case they are lost or stolen. Lastly, if you are asked to download or give permission to something you do not understand or recognise on your phone, then do not agree to it.  It is better to be safe than sorry.

—————————————————————
[1] Integralis commissioned market research company, Vanson Bourne, to survey 1,000 consumers across the UK during February/March 2013.  The survey titled ‘Consumer attitudes to online data security’ was broken down equally between male and female and by age groups (18-24, 25-34, 35-44, 45-54 and 55+).