ZDNet has a story today on Symantec’s annual Norton Report, an international study that examines consumer’s online habits, attitudes toward security and the costs of cybercrime. The study, which surveyed a little over 13,000 adults in 24 countries cited numbers on par with other mobile user studies: 63% had a smartphone and nearly half (48%) didn’t take basic precautions like password protecting or backing up their mobile device. 49% said they were using their personal device for both home and work stuff.
The only figure I really took with a grain of salt was the claim that 38% of the people were victims of cybercrime. Were we to extrapolate that to just the US smartphone population, that would be something on the order of 87 million cybercrime victims each year — or 10 times the number of all crimes (physical or cyber) reported in the FBI’s national statistics. That’s not a crime wave, that’s a national epidemic. But maybe Norton respondents are more crime-prone than the general population.
Where I really ran into trouble with the Norton Report was with Symantec’s tips for maintaining online security in an always-connected mobile world; specifically its recommendation that people “think of mobile devices as mini-computers” and use passwords and security to “protect against theft, loss and cybercrime.”
That makes about as much sense as telling people to “think of mobile devices as great white sharks.” Circa 1990’s PC security recommendations simply don’t and will never work in a post-PC mobile era.
First off, no password is going to protect a mobile against theft. Mobile devices aren’t 30 pound objects wired to your desk or big slabs of metal and plastic in a shoulder bag. Mobile devices are small and easy to conceal in a pocket. A password might keep a thief from browsing those “personal” photos you’ve got on your phone, but it’s not going to keep him from swiping it, doing a hard re-set or pulling the SIM and selling it on Craigslist.
Second, and more importantly, a smartphone is not a “mini computer.” People don’t sleep with their computers, but as the Norton report reveals, people do sleep with their phones. People also don’t take their computer shopping or to the movies, they don’t take vacation pictures with them, they don’t text, navigate or play check-in games with them. A computer is a thing, a tool, like an oven or toaster. A mobile device is way more — it’s an integral part of a person’s digital lifestyle. And as such, trying to make people think of their mobile as something other than that is a non-starter.
Mobile Security in the Post PC World
You can’t really fault Symantec for trying to apply the PC model to a mobile world. It’s been doing a fine job in PC and network security for the past two decades, so it’s only natural to want to keep doing it.
But it’s not going to work because people aren’t going to password protect their phone or be more security aware. Unlike business tools, with lifestyle objects, convenience trumps all other considerations. What we really need to do is stop thinking about securing the physical “device” and start thinking about securing the user and the user’s data. Here’s how:
1)Make security and safety a primary consideration in all mobile OSs and software.
Security is all too often an afterthought or a non-consideration with app developers and the result is invariably some hacker discovering the holes and exploiting it to steal people’s personal information — passwords, account information, whereabouts, contacts and so on. Everywhere else in the world security and safety are built-in components — automobiles, appliances, machinery, buildings, medicine bottles, toys, you name it. But for some reason security is an “add-on” in mobile. That’s just dumb.
2) Stop storing sensitive information on the device
A lot of apps like to pretend that a mobile device is like a fixed computer; locked safe and secure in our home or office and convenient to store stuff on. But, as we know, other than being convenient to store stuff on, it’s not true. We take mobiles all over the place that are neither safe nor secure. But the beauty of having an always connected device is that it’s, well, always connected to somewhere else where it is safe to store information. It’s far smarter to temporarily hold data locally and then securely move it to a safely encrypted server in the cloud for storage when you’re done. Then even if your mobile is stolen or compromised, there’s nothing there to lose.
3) Quit being the homeless guy and get context aware
Why are we treating mobile devices like they’re homeless guy’s shopping cart and carrying absolutely everything around with us whether we need it or not? Do you really need “Hotels Near Me” when you’re at home? How about PowerPoint when you’re in the movie theater? Instagram in the Conference Room? Waze when you’re on a plane? Think about it. You’ve probably got dozens of apps sitting on your device when you’re only going to use one or two at a particular place and time, so why even have them taking up space and leaving data all over your phone? Context and location-aware technologies have been able to deliver apps and information on demand for a couple of years now, but so far the main use seems to be to push coupons when you’re near a store. We should be adopting location-based technologies to deliver the stuff mobile users need, where and when they need it. No more digging through 300 icons on that 5th slider screen, no more trying to remember whether that file is on the phone or the SD card. No more deleting this app to make room for that one.
None of this stuff is far-fetched or impossible. Everything I mentioned is possible today. Mobile users could enjoy real mobile safety and data security without sacrificing convenience. What it’s going to take though is getting software developers and mobile services providers to abandon that 20th century “mini computer” model and start thinking of mobiles the way their owners do — a key pieces of their connected life. Once security becomes integral to mobile apps and information a whole new world of opportunity will open.