Mobile security - how worried should you be?

While security vendors often over-hype mobile threats, IT leaders cannot afford to be complacent

Mobile security has made the mainstream press recently with high-profile celebrities including Prince William and Hollywood actress Scarlett Johannson having had their mobiles hacked in recent months.

And security vendors are keen to tell the enterprise that it has more at risk than compromising photos being posted to the internet.

Last week, leading security firm McAfee launched a new product offering simultaneous protection for mobile devices and desktops.

Browse the product lists of any of the other major security firms, Symantec, Trend Micro, Kaspersky, and you’ll see that they all shout about their latest mobile security tools. But are they really necessary or are these security companies bigging up a not-really-very-significant mobile threat?

Threats to mobile devices do exist, with the DroidDream trojan found to be infecting several apps on the Android Marketplace earlier this year, but whether mobile threats compare with those targeting the desktops, servers and datacentres is another question.

Ant Allen, research VP at analyst firm Gartner, says that the immaturity of the mobile market actually means this is a more difficult channel for cyber criminals.

“Some aspects of security may be less of an issue on mobile devices than on corporate PCs. On the desktop side we’ve got a homogeneous environment with mainly Windows PCs in most enterprises, but there are many mobile platforms and this may hamper writing malware,” says Allen.

Allen adds that the way in which users download software to their mobile devices also complicates matters for the bad guys, as most app store operators, including Apple’s iTunes store, checks submissions for cyber threats before they allow them to be offered to their users.

“There are some aspects of control in app stores which make it harder to put malware on mobile devices,” says Allen. But he acknowledges that the threat will only increase as time goes on. “The potential of exposing data on mobile devices will become more of an issue over the next few years.”

An argument against believing the hype and installing a suite of mobile security solutions is that it potentially takes away one of the great strengths of the medium: its simplicity and convenience.

“Users want to maintain that good experience, and the more you try to manage and control access to the device and the data, the more the users will complain. That needs to balanced against security needs,” comments Allen.

Gartner argues that by 2014, 80 per cent of mobile professionals will use at least two personal devices to access corporate systems and data.

So clearly, the issue of mobile security is one that enterprises have to get right, meaning it is important to separate the real threats from those that are less pressing.

Allen explains that the use of Wi-Fi can pose a problem, especially in the public space.

“If you’re in an unencrypted public Wi-Fi hotspot sending sensitive information to an unencrypted web site, someone might be able to read what you have written.

Then there are targeted trojans. We’ve seen malware attacking people doing banking or shopping from mobile devices.” However, he explains that it is often not the technology but the people who are the main problem.

“People often lose their device, it’s recycled with information on it, and configuration errors cause data loss opportunities. The users themselves can make devices more vulnerable.

“So it’s not so much exotic attacks over the air, but information that’s exposed when people get their hands on the device.”

He added that social engineering, where users are convinced to willingly hand over personal information, remains a challenge.

“People will still give their passwords to sites they shouldn’t. That’s not a device problem it’s a human problem.”

However, in Allen’s view the biggest problem is the security vendors themselves, who often blow potential threats out of all proportion.

“The biggest problem is the mobile security vendor press release. Every time something happens certain vendors will cry wolf.

"It’s important to read these stories carefully to check whether the problem is genuine and applicable to you, or to see if it’s a potential and not a real threat today.”

So while threats to business mobile users do exist, they perhaps are not quite as widespread, or as damaging, as we are led to believe.