F-Secure conducted a survey in nine European countries and Japan, and collected responses from employees at small, medium and large companies. The survey asked users a number of questions about cyber security at their organizations, including information about mobile security.
First, the good news. 84 percent of survey respondents said their company either has a solution to secure their mobile devices, or felt that it would become a priority within the next 12 months. 88 percent of Finnish and Swedish respondents, and 87 percent of German and Polish respondents, fell into this category, making mobile security solutions more popular in those countries compared to others included in the survey.
However, only 73 percent of Japanese respondents said they had or were planning on getting a mobile security solution, making them far less popular in that country than in other countries in the survey. The remaining 27 percent answered their companies had no plans to get a mobile security solution, or they didn’t know.
The three most common reasons given by respondents in all countries for not having or planning to have a mobile security solution were:
- 33 percent of respondents said that mobile devices do not contain sensitive assets/data
- 26 percent of respondents said that their company does not utilize mobile devices for business
- 25 percent of respondents said that securing mobile devices is not a priority compared to other security priorities
But overall, it looks like many companies want their employees to stay protected from crimeware.
But Here’s the Bad News…
While mobile malware overwhelmingly targets Android devices, it’s still a relatively small amount when compared with Windows. But that doesn’t mean relying on Android, or what companies are doing to secure the devices their employees are using, is going to pay off in the form of reduced data breaches or other security incidents.
The same survey found that less than 32 percent of respondents wanted more information about general security best practices – a data point that F-Secure Security Advisor Sean Sullivan found alarming.
According to Sullivan, the growing dominance of Android devices compared with other operating systems means companies need to revisit how best practices are being followed on mobile devices.
“Multiple data sources point to serious problems with how people are securing their Android devices. So while efforts to implement mobile security or mobile device management solutions in companies are commendable, organizations need to provide some guidance on how to use these devices safely and responsibly in a corporate environment. You don’t want staff relying on habits picked up from their personal use to carry over to their jobs.”
Operating system updates demonstrate Sullivan’s concerns. According to F-Secure’s recent State of Cyber Security report, Android devices receive OS updates far less often than iOS. Even though Google frequently releases Android updates, device manufacturers aren’t always consistent in making these updates available to end users. Publically available statistics from Google Play confirm that most people are currently using outdated versions of Android. And while the two ecosystems are quite different, software updating is integral to keeping devices secure, regardless of operating system.
Not using lock screens is another basic security faux-pas common amongst Android users. According to a recent report from Google, less than half of Android users have a lock screen for their device – a figure Sullivan said highlights the kind of basic oversights companies need to address.
“There’s nothing easier than phishing for information using a lost or stolen device. A phone with contacts and accessible email and SoMe accounts is all anyone needs to steal another person’s identity. Lock screens that use PIN codes is a minimal security precaution, and not using them is the kind of security problem that companies need to crack down on,” said Sullivan.
So what are the best practices people should be using to secure Android phones? Here’s what you should start with:
- Use a password-protected (with both letters and numbers) lockscreen.
- Encrypt both the contents on the device and your internet traffic.
- Use a device from a vendor that provides frequent, timely updates.
- Avoid downloading apps from third-party sources.
- Backup your files in case of a ransomware infection (mobile ransomware exists).
- Install a mobile security solution (even if your company won’t provide one for you).