Cisco Blogs

Most People Don’t Think about Mobile Security – But They Should

May 2, 2013 - 6 Comments


By Jason Kohn, Contributing Columnist

In the 20 years we’ve had to get used to the Internet, we’ve learned a lot about web security and our own role in keeping ourselves safe from the nastiest things out there. At the very least, most of us now recognize the need to install antivirus software on our computers and to keep that software updated.

When it comes to the other kinds of computers we use though – our ubiquitous smartphones and tablets – it’s a different story. According to a 2011 report by Canalys, just 4 percent of the smartphones and tablets shipped the previous year had some form of mobile security installed.

A survey of 5,000 mobile users in four countries conducted by AVG Technology earlier this year indicated that 80 percent of consumers were unaware of the risks of malware on their mobile devices. And despite the fact that one in four mobile users stores intimate photos on their device (!), 70 percent of them had no idea that they could use their phone’s security features to remotely delete them if their phone was stolen.

This disconnect between how consumers perceive mobile security and the threat that actually exists is a big problem, and it’s getting bigger.

A Growing Mobile Malware Threat

Darrell Etherington of TechCrunch described the findings of an NQ Mobile study conducted this February:

[The study] found that malware threats in general on mobile platforms grew 163 percent in 2012, totally more than 65,000 identified distinct forms of app repackaging, malicious URLs and SMS phishing (also known as smishing). The attacks were mostly geared towards Android devices, which was the platform of choice for almost 95 percent of threats identified by NQ….

NQ Mobile’s report found that more than 32.8 million Android devices were infected over the course of 2012, up more than 200 percent from 2011.


A Feburary 2012 survey of more than 4,000 organizations published by security research firm the Ponemon Institute and web security firm Websense echoed these results. According to Kristin Brent at CRN:

“Fifty-nine percent of Ponemon’s respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, smartphones, and tablets. And a pretty hefty jump, at that. Thirty-one percent of those who have noticed a spike in malware cases said the increase was by more than 50 percent.”

Grappling with the Threat

It’s not as if no one recognizes the seriousness of this problem. Enterprises are acutely aware of the risk to their networks posed by mobile device malware. And as more and more of them embark on bring-your-own-device (BYOD) initiatives, they are investing significant resources into finding ways to protect against that threat. Canalys projects the market for mobile security for enterprises to grow at an annual rate of more than 44 percent, becoming a $3 billion market opportunity by 2015.

But what about the millions of mobile device users who don’t work at a company with a mobile security program? At this point, they’re still basically on their own.

Third-party security apps are available in the Google Play Store and Apple App Store for Android and iOS devices respectively. But they require individual users to a) recognize this threat, b) take the initiative to learn about what they can do about it, and c) download, install, and properly configure one or more security apps. It’s a lot to expect of your average mobile device owner.

Stay Safe Out There

For most consumers, the scope of the malware threat remains largely a function of where you live. While mobile malware is skyrocketing worldwide, it’s still relatively rare in North America. In its annual State of Mobile Security report, Lookout Mobile Security reported that, while the threat (especially to Android users) exists worldwide, users in Russia, Ukraine and China are most likely to see an attack on their device.

The report also offered a number of tips to keep your device safe, including:

  • Setting a password for your device
  • Downloading apps only from trusted sources
  • Using caution when clicking any web link
  • Using third-party security apps
  • Looking out for suspicious charges on your bill
  • Downloading device firmware updates as soon as they’re released

All good advice, but it’s advice that many mobile device users won’t end up following. Ultimately, wireless providers and mobile device manufacturers are going to have to take a much larger role on this issue before we see real widespread change in consumer behavior. They can help by:

  • Educating consumers about the mobile security threat and the need to protect their devices—just as the computer industry has done
  • Shipping devices with more robust anti-malware capabilities, and clear instructions for users on how to use them
  • Accelerating their capabilities to detect new vulnerabilities and threats, and push out updates to device software and operating systems to thwart them

It’s a lot to ask of all parties – mobile operators, device manufacturers, software developers, and consumers alike. But for a problem this big and complex, it’s the only way we’re likely to see real solutions.

Share Your Experience

Have you seen mobile malware or another kind of mobile security attack firsthand? Do you use third-party security software on your phone?

>>More… Connected Life Exchange

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Other virtual weapons were created in 2012, like : Flame, Gauss and Shamoon viruses

  2. Jason - and, mobility will less and less be devices as we know it. It's Google Glass today...who knows what it will be in 1, 5, 10 years. Regardless, security will only grow in importance.

  3. Jason, thank you for this post. Mobility is only going to cause an increase in the potential for security concerns from both the inside of an organization and the outside. In this post by Michael Fuhrman here at Cisco (, he cites some interesting research that enhances your points and that highlight the need for organizations to consistently enhance traditional defenses based on signatures or reputation with global and local context analysis. Mobility is so much more than a device. I really like your prescriptive solutions.

    • Thanks Melissa, I hadn't read about that attack, it's fascinating. It's certainly a huge deal for enterprises as they bring this stuff into their environments. And just so strange to me that there's such a big disconnect between enterprises and end-consumers regarding basic awareness of this threat. Was it the same way in the early days of the Internet? I seem to recall that very, very early on, people were at least aware that they were at risk when they logged on, even if they weren't always diligent about protecting themselves properly. I wonder if it's going to take a major North American mobile malware outbreak before everyday consumers really start thinking about this.

      • The ultimate security policy will likely need to be forward-looking and not just focus on one or two mobile device categories. As an example, what happens when an employee brings augmented reality glasses into the workplace? See this story about the latest threat

        • Wow, that never even occurred to me, but of course! How can you encrypt passwords when you can "see" exactly what someone's typing? And I'm sure there are dozens of other insecurities that a technology like Glass introduces that no one's even thought of yet. It is definitely a brave new world.