Sophos: poor mobile configuration is as dangerous as malware

There are more risks to enterprises making use of mobile devices than just malware; these include location tracking and poor device configuration, according to Dr James Lyne, director of technology strategy at security firm Sophos.

Lyne said that the bigget challenge with mobile device security is not the growing volume of malware, but users' misconception that the devices are safer than their desktops.

"The biggest mobile security issue will be that users believe the devices are secure. Our biggest problem is awareness," he said.

Lyne added that most users are not aware that mobile devices give out a great deal of sensitive information when on a default setting.

"Mobile devices give away a hideous amount of information constantly. They continually broadcast the names of previous networks they've connected to when trying to find them.

"Cyber criminals can then create a network with the same details, and these devices will blindly connect to them."

The person who has set up this network will then be able to steal any unencrypted information that is passed along it.

Lyne said that this configuration issue affects all mobile devices, from smartphones to tablets.

"It's not malware that's the problem, it's the configuration of the device. It can affect iPads, iPhones or anything else."

He also explained that many devices tag photos and sometimes blog posts (including Twitter entries) with geographical data that cyber criminals can use to map out a mobile user's routine, including their work and home addresses.

"You wouldn't give out your postcode to a stranger on the street, but we upload photos that contain GPS info up to the web.

"Cyber criminals can figure out where you work and live, and when you go on holiday, and this information can be published on sites like pleaserobme.com."

Lyne advised IT departments to regularly update their mobile security strategies, and to ensure staff are made aware of the dangers.

"Define a six month not a three year mobile security strategy. Technology is moving too quickly, and needs to be regularly appraised.

"Wrap mobile security into education and awareness training. If we start investing now in having users apply the same best practices to mobile as they do to desktop, then there won't be a lag when adoption goes mainstream," he concluded.