Everybody loves mobile, right? We use it for everything—social media, find restaurants, checking out applicance pricing, even banking. One wears mobile devices as unconsciously as one wears clothes.
Thing is, crooks love mobile even more.
They know the big secret, which is: Most of their potential victims have little clue about how vulnerable their lax security measures make them.
A few recent and unrelated surveys each come to a troubling conclusion—consumers’ perception of mobile safety stands at extreme variance to the reality of mobile cyber risk.
It’s not as if we just don’t have a clue
Survey No. 1: The Pew Research Center tabulated results from 1,055 adults last summer who provided answers to a 13-question cybersecurity quiz. The result: “Despite the risk-reducing impact of good cybersecurity habits and the prevalence of cyber attacks on institutions and individuals alike, [the survey] finds that many Americans are unclear about some key cybersecurity topics, terms, and concepts.”
Granted, some of the questions really are fairly technical. And, granted, in many cases, people just answered “unsure.” However, the typical respondent answered only five of the 13 questions correctly; 20% answered more than eight questions accurately; just 1% got them all correct.
First the good news: 75% correctly identified the strongest password from a list of four options, and 73% were aware that if a public wi-fi network is password-protected, it does not necessarily mean that it is safe to perform sensitive tasks such as online banking. Also, 71% identified an example of multi-factor authentication from a list of four.
However, things trend downward from there.
• Barely half could identify phishing attacks
• … or knew that turning off the GPS function on a smartphone does not prevent all tracking of that device
• … or knew what ransomware is
• … or knew that wi-fi traffic is not encrypted on all wireless routers.
Only a third knew what the “s” means in “https” (information is encrypted on the site), and 16% knew what a botnet is and how criminals can use it.
We may not recognize that we’ve been mugged
Moving on, Survey No. 2: Blumberg Capital, a San Francisco-based early-stage venture capital firm, in cooperation with Researchscape International, surveyed 1,012 U.S. adults about their cybersecurity knowledge.
One set of telling results:
60% believe they have never been a victim of cyber hacking or are unaware if they have—yet 45% admitted to not being able to recognize a cyber crime unless contacted by a vendor or law enforcement authorities.
“Consumers vastly underestimate cybersecurity threats and don’t know how to identify, respond, or protect themselves from future attacks,” says David Blumberg, founder and managing partner. “Naiveté and arrogance are a really dangerous combination. The cybersecurity landscape is complex and ever-evolving. Bad actors are constantly finding new ways to bypass security measures to infiltrate confidential systems and steal information or sabotage infrastructure.”
Blumberg adds this sad truth: “Even experts can miscalculate how to mitigate risks and existing security solutions are no longer enough, especially in areas such as IoT or cloud security.”
More on several of these points in a moment, but first a few more results from the Blumberg Capital survey:
• 39% are concerned about potential hacks of laptop computers
• 38% are concerned about potential hacks of their devices such as smart phone and IoT-connected appliances.
• The most common actions taken in response to a cyber attack were to change a password (74%) and to contact the bank (46%).
• Consumers are least concerned about protecting work email passwords (10%) and online dating passwords (9%).
Cloud users interact in a fog
Speaking of cloud security (mentioned above), here’s Survey No. 3: Clutch, a B2B ratings and reviews firm, surveyed 1,001 Americans about their use of cloud-based apps. Result: More than 30% who said they use popular cloud-based apps also claim to not use or access information in the cloud.
Meaning, there is great confusion about that it means to use the cloud—and it’s not all the users’ fault.
“From private cloud, managed private cloud, to in-house and public cloud, there are many different technologies which can be referred to as ‘cloud,’ but are very general,” says Alexander Martin-Bale, director of Cloud and Data Platforms at adaware, an anti-spyware and anti-virus software program. “The reality is that knowing exactly when you’re using it, even for a technical professional, is not always simple.”
“What, me worry?”
Speaking of technical professionals, here comes Survey No. 4 (actually a two-fer): Thycotic, which provides privileged account management solutions, in its own survey of customers found that 53% of social network users have not changed their passwords in more than one year—including 20% who have never changed their passwords.
Meanwhile, the company cites a Forrester Research survey that found that 80% of all cyber security attacks involve a weak or stolen password. Tellingly, this survey found that nearly 30% of security professionals have or still use birthdays, addresses, pet names, or children names for their work passwords.
“The fact that the people who are in the trenches of the day-to-day security for businesses are using weak passwords for their credentials is shocking and unacceptable,” says James Legg, president and CEO at Thycotic.
Maybe there’s hope yet
One more, Survey No. 5, which hopefully will lead to a way out of all this depressing stuff.
Forcepoint Research, a cybersecurity leader, did its own survey of cyber professionals, this one to gauge the importance of understanding user behavior as they interact with sensitive digital data.
The study found that 80% believe it’s important to understand the behaviors of people relative to intellectual property and business data, but only 32% are able to do so effectively.
Also, 78% believe understanding user intent is important, but only 28% currently have this capability.
“For years, the cybersecurity industry has focused primarily on security technology infrastructures. The challenge with this approach, however, is that today’s infrastructures are ever-changing in composition, access, and ownership,” says Matthew Moynahan, CEO, Forcepoint Research. “By understanding how, where, and why people touch confidential data and IP, businesses will be able to focus their investments and more effectively prioritize cybersecurity initiatives.”
Will tech solutions be answer to tech risks?
What can be taken from all of this?
First, it’s hard to believe that the vast mobile audience will suddenly wake up to the need to take personal responsibility for their own security, at least any time soon. That’s just reality and human nature.
At the same time, institutions charged with providing mobile services while protecting customer information—namely, banks—can’t just sit back and say “Oh, well.”
The answer, which seems to be the answer to everything these days, lies in the ever-increasingly sophistication of technology.
Some advice may be obtained in a recent white paper issued by the Secure Technology Alliance, formerly known as the Smart Card Alliance, titled Mobile Identity Authentication.
“Mobile ID authentication provides an answer to the security vs. usability conundrum that many organizations face with authentication, especially now that users expect to use their mobile devices to connect to services without manual entry of personal information that could be compromising their security,” says Randy Vanderhoof, executive director of the Secure Technology Alliance.
Along parallel lines lies the prospect of turbocharging the analysis of customer data in order to better know the customer—both for detecting criminal actions as well as for protecting legitimate customers.
Jenna Danko, writing in a financial institutions-related blog for Oracle, says in part: “The fact is that although a lot of institutions feel limited to the data available in siloed databases, or to that which customers provide, many have the potential to access a much bigger pool of data in various formats residing in data lakes. With the right investments, this data can provide a much better insight into who clients are and, ultimately, a better assessment of their risk to the institution.”
In other words, if, through sophisticated analytics, banks can at least know who their real customers are, and provide them security which they may not know to provide themselves, while weeding out the imposters. All of which will ultimately pay off for everybody.
(Full disclosure: Yours truly took a modified version of the Pew Research test mentioned above, and got 10 of 10 correct, something which 1% of those formally polled did. To be honest, several questions were guessed at by choosing the most cynical-sounding options of the choices given. Take the test yourself.)
Sources used for this article include: