The best way to protect business information on smartphones from cybercriminals is to leave that information off smartphones, one mobile security expert said Thursday.
Mobile security is still evolving, and smartphones are vulnerable to hackers and to social engineering schemes, said Andrew Hoog, chief investigative officer at viaForensics, a security vendor. Cybercriminals are starting to target smartphones, Hoog said at a cybersecurity summit in Washington, D.C., hosted by the Computing Technology Industry Association (CompTIA)
Mobile devices combine personal information and corporate information, Hoog said. "It becomes a much richer target."
ViaForensics recently completed a review of 100 popular mobile applications, Hoog said. Eighty-three percent of those apps either warranted a security warning from the company or failed the company's basic security tests, meaning they stored sensitive data insecurely, he said. The company gave warnings to apps that store app data in an unencrypted form.
Ten percent of the apps tested stored passwords in plain text, and 25 percent of the financial apps failed the company's tests, Hoog said.
"It is possible to build secure mobile apps," he said. "But when we're just scratching the surface, just looking for the most basic information, at this point in time, we're recovering enormous amounts of data on these devices."
Part of the problem for corporate IT departments is that employees are bringing in a wide variety of mobile devices to use in business settings, added Brian Contos, director of global security and risk management at McAfee
"Fundamentally, the problem with mobility is that the technocracy is over," Contos said. "It used to be that ... the IT people would say, "this is what we're going to run, this is how we're going to run it, these are the applications you're going to use.'"
Contos told the audience that he was at an organization in Bogota, Colombia recently. "They had all their auditors, all their IT folks, standing up there and telling their CIO why they shouldn't allow mobile devices on their network," he said. "They had charts, graphs, tables. After about an hour, they made their point, and the CIO stood up and simply said, 'But I love my iPad.'"
In addition, mobile app and OS developers want to make their products easy to use, added Allan Friedman, research director at the Center for Technology Innovation at the Brookings Institution. Criminals using spyware and other schemes count on split-second decisions by smartphone users, he said.
"The challenge for security is, to have someone make a good decision, you need to force cognition," he said. "You need to actually make them think. This is the opposite of usability."
Some corporate IT departments are turning to outside consultants for help with securing mobile devices, Hoog said. Many company CIOs are saying they have "a million other things to worry about," he said. "It's too much for an IT department to take on and become an expert in, but it's too important to ignore."
Some mobile security vendors have tools that can make mobile devices much more secure than they are out of the box, he said. Hoog described mobile security as a race between security vendors and cybercriminals. "If we get to them first, we win the race," he said.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is firstname.lastname@example.org.