Is Mobile “insecurity” the “in” thing ?

On 22nd May, CTIA-The Wireless Association® released its consumer survey on users’ attitudes toward cybersecurity.

 

Commissioned by CTIA, the Harris Interactive survey shows that 85 percent of consumers know their mobile devices are very or somewhat vulnerable, 74 percent say keeping their devices secure is their responsibility, but many don’t take action.

 

However, consumers are more likely to be aware and protect themselves against a tangible threat, such as having a device stolen, than intangible threat such as malware or hacking. The consumers whose devices were lost or stolen were more likely to use PINs or passwords than those who didn’t have their devices lost or stolen (69 percent versus 47 percent), but no more likely to take any other proactive actions, such as remote locking, tracking and/or erasing apps (45 percent versus 41 percent).

 

 

Oddly, only one in five view smartphones as mini-computers, but more than half (53 percent) view cybersecurity the same way on mobile devices as they do on computers. Less than a third (31 percent) installed an anti-virus program on their smartphone, compared to 91 percent on a laptop. Thankfully, consumers are nearly as likely to run updates on their smartphones (66 percent) as on their laptops (69 percent).

 

Yet the survey clearly shows that there is a disconnect on cybersecurity between consumers awareness and their actions.

 

However, consumers are beginning to take valuable steps to protecting themselves and their information. A majority of consumers (66 percent) review their wireless bills for suspicious activity at least once a month. Of those who use their mobile devices for online banking, more than half (56 percent for tablets and 55 percent for smartphones) use encryption or security software.

 

When asked what would prompt them to add a password or install anti-virus software to their personal tablets or smartphones, 35 percent said having a friend or family member suffering a security break; 33 percent said an app that reminds them to update anti-malware software or to change the PIN; 32 percent said a tutorial that prompts them; 27 percent said a friend’s advice; 26 percent said advice from a device or network provider; and 23 percent said from the media stories that explains the benefits.

 

Of these same consumers surveyed, two thirds (67 percent) believe industry is better equipped to write cybersecurity regulations than the federal government.

 

The complete survey can be downloaded from https://ctia.it/18Lzlv3.

 

At the same time, on 23rd May, the United States published the first government-wide set of mobile computing security guidelines. The guidelines include a baseline of standard security requirements for mobile computing, a mobile computing decision framework for federal agencies and a mobile security reference architecture.

 

These are available for download at

 

Federal-Mobile-Security-Baseline

 

Mobile-Security-Decision-Framework

 

Mobile-Security-Reference-Architecture

 

Defining what works and what doesn’t in mobility makes sense, given that the number of Internet-connected mobile devices already outnumbers PCs and will soon outnumber the worldwide human population.

 

The Federal Mobile Security Baseline provides federal agencies a minimum set of security controls for mobile devices.

 

The standards address major access-, application-, data-, device- and identity-management challenges, as well as mitigation techniques agencies should use to deal with threats at the application, device and network levels. The standards also identify five high-level user communities for digital services, outlining use cases from non-sensitive public data to top-secret data accessed on national security systems.

 

The Mobile Security Decision Framework, meanwhile, is designed to assist in determining what mobile capabilities most effectively support an agency’s mission. At its core, it is a decision-making process feds can use to select the right mobile computing solution for their agency, and divides the process into four stages: mission requirements, decision balancing, risk-based tailoring and results.

 

The majority of the decision-making process centers around the risk-based tailoring aspect, wherein frameworks like NIST Special Publications 800-37 and 800-39 help agencies weight risk across seven categories.

 

The Mobile Security Reference Architecture details the components necessary to implement secure mobile services throughout their enterprise architectures, and was produced by the Federal CIO Council and DHS’ National Protection and Program Directorate Office of Cybersecurity and Communications Federal Network Resilience.

 

The document describes MSRA as a “living, flexible” guide, adaptable enough for any department that provides in-depth reference architecture that includes:

 

• Components of a mobile computing reference architecture;

 

• Categories for users of a mobile computing architecture;

 

• Sample implementations of a mobile computing architecture;

 

• Management and security functions of a mobile computing architecture;

 

• A discussion of the threats to mobile computing devices and infrastructures, and potential mitigations for those threats;

 

• Information assurance controls that apply to the mobile infrastructure components, and their relation to NIST Special Publication 800-53 rev4;

 

• A set of considerations for High Risk environments; and

 

• A discussion of the policy considerations necessary for the secure adoption of a mobile solution.

 

 

Given the complexities and the growth trajectory of mobile computing, it is high time that Indian organisations also draw up plans to combat the security risks involved in mobile computing.

Comments are closed.