Since about 2015, mobile devices (smart phones and tablets) have outsold desktop operating systems. The trend away from traditional computers (laptops and workstations) toward mobile devices continues to widen each year1. The so-called “mobile wars” are over; mobile devices have won by a landslide.
It has been long assumed that mobile devices are a greater security risk to both individuals and organizations because they are easily lost or stolen and lack mature security management. New research brings to light additional security problems that are unlikely to be solved even with better software or network mobile device management.
University of Pennsylvania researchers have just published a groundbreaking peer reviewed paper entitled “Full Disclosure: How Smartphones Enhance Consumer Self-Disclosure”2. Some reviewers of the research are even calling the effect of smart phones on humans “Digital Truth Serum”3.
The study shows that when using a smart phone, users are much more likely to willingly enter sensitive information about themselves, their company and/or their family compared to when using the equivalent app or service on a workstation computer.
Authors Shiri Melumad and Robert Meyer describes why:
"Writing on one's smartphone often lowers the barriers to revealing certain types of sensitive information for two reasons; one stemming from the unique form characteristics of phones and the second from the emotional associations that consumers tend to hold with their device."
"Because our smartphones are with us all of the time and perform so many vital functions in our lives, they often serve as 'adult pacifiers' that bring feelings of comfort to their owners."
"Similarly, when writing on our phones, we tend to feel that we are in a comfortable 'safe zone.' As a consequence, we are more willing to open up about ourselves."
Attackers using Social Engineering techniques comprise the vast majority of compromises, network intrusions and damages. Emotional attachment to mobile devices means that Social Engineering attacks aimed at mobile users are going to be far more successful.
Our principle defense against Social Engineering exploits is a mixture of organizational policies, security awareness training, security awareness exercises (i.e., mock phishing attacks, “Pen Testing”) and adopting security maturity models.
Armed with this new knowledge about how users think and feel about their mobile devices, we can better address and mitigate security problems. For example, if an organization is using practice phishing emails to train employees or to gather maturity metrics, we now know that these practices must include emails that were opened on a mobile device. Changing when these emails are sent (such as when users are likely to be away from a workstation) could provide a better exercise, more accurate information and more effective testing models.
Additionally, Security Awareness training, mobile device policies and BYOD policies should be re-evaluated to determine if the behavior change between workstations and mobile devices are properly mitigated.
Organizations without a dedicated information security team or one that needs more resources can work with a Trusted Advisor service to address issues of mobile devices, Social Engineering attacks, security maturity and other topics.
Cadre’s vCISO program has a series of Tiers starting at just $2,500/year that can significantly enhance your security posture.
Keep up to date with the latest in security trends and science by subscribing to Cadre's blogs.
Sources:
1. StatCounter
- ShiriMelumad, Robert Meyer. Full Disclosure: How Smartphones Enhance Consumer Self-Disclosure. Journal of Marketing, 2020; 84 (3): 28 DOI: 10.1177/0022242920912732
- ScienceDaily. Retrieved May 4, 2020 from www.sciencedaily.com
