The best way to protect business information on smartphones from cybercriminals is to leave that information off smartphones, a mobile security expert said last month.
Mobile security is still evolving, and smartphones are vulnerable to hackers and to social engineering schemes, said Andrew Hoog, chief investigative officer at viaForensics, a security vendor.
Cybercriminals are starting to target smartphones, Hoog said at a cybersecurity summit in Washington hosted by the Computing Technology Industry Association. And because a smartphone combines personal information and corporate data, he said, "it becomes a much richer target."
ViaForensics recently reviewed 100 popular mobile applications and found that 83% of those apps either warranted a security warning from the company or failed the company's basic security tests because they stored sensitive data insecurely, he said.
The security failures included storing data and passwords in unencrypted form. "We're recovering enormous amounts of data on these devices," Hoog said.
Part of the problem is that employees are bringing in a wide variety of mobile devices to use in business settings and IT departments no longer have control over the technology, added Brian Contos, director of global security and risk management at McAfee.
In addition, mobile app and OS developers want to make their products extremely easy to use, said Allan Friedman, research director at the Center for Technology Innovation at the Brookings Institution. Criminals using spyware and other schemes count on split-second decisions by smartphone users, he said.
"The challenge for security is that, [in order] to have someone make a good decision, you need to force cognition -- you need to actually make them think," Friedman said. "This is the opposite of usability."
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.