The Government Accountability Office (GAO) released a new report that said government agencies need to do a better job when it comes to warning citizens of the security concerns on mobile devices. It was only a matter of time for this alert — the GAO has been more vocal about cybersecurity over the past year. As far as I’ve seen, this is the first time the agency has addressed mobile security.
One of the things the GAO report pointed out is the alarming rise in malware on mobile devices. According to the report:
Threats to the security of mobile devices and the information they store and process have been increasing significantly. For example, the number of variants of malicious software, known as “malware,” aimed at mobile devices has reportedly risen from about 14,000 to 40,000 or about 185 percent in less than a year.
Did I say alarming rise? Wow. I’ve been saying for a long time that we need to think more about mobile security and that it was only matter of time until the bad guys begin targeting mobile devices. But 185 percent in less than a year is high on devices that a relatively small amount of the population own.
One of the problems in the increase of malware is the lack of consumer awareness regarding mobile security. Government and private entities promote security practices, although they haven’t been implemented as consistently as they should be, the report pointed out. However, consumers are too often left in the dark about the risks to their devices and aren’t protecting them as well as they should.
I think the GAO is spot on with its concerns about consumer awareness. The average consumer doesn’t understand how at risk their systems are. Ironically, I took an informal poll of a group of my friends on Sunday night about their security practices on their phones. We were talking about having ICE (in case of emergency) contacts on our phones and how someone else would be able to access those numbers if the phone was password-protected. Well, that problem was easily “solved” — only two of us have passwords. So I asked how many had any kind of anti-virus or security apps on their phones, and I was the only one. I think my friends are typical of the average mobile device user who thinks that they don’t have anything to worry about or lose on their phone. After all, Infosecurity stated this:
The GAO said that protection will have to be a multi-pronged effort that takes into account all parties. For instance, mobile device manufacturers and wireless carriers can implement technical features, such as enabling passwords and encryption to limit or prevent attacks. Meanwhile, consumers can adopt key practices, including setting passwords, using two-step authentication and limiting the use of public wireless connections for sensitive transactions, which can significantly mitigate the risk that their devices will be compromised. Unfortunately, many consumers still do not know how to protect themselves from mobile security vulnerabilities, raising questions about the effectiveness of public-awareness efforts.
The bottom line is security has to become more mainstream. We need to talk more about best practices and how to implement them. It could start at the business level — especially in companies that practice BYOD. Many people learn all they know about computer security from work, so why not spread that to mobile device security as well?