News > Internet & Security A Better User Experience Could Reduce Smartphone Security Issues But people need to take responsibility, too By Mayank Sharma Mayank Sharma Twitter Freelance Tech News Reporter Writer, Reviewer, Reporter with decades of experience of breaking down complex tech, and getting behind the news to help readers get to grips with the latest buzzwords. lifewire's editorial guidelines Published on March 22, 2022 11:27AM EDT Fact checked by Jerri Ledford Fact checked by Jerri Ledford Western Kentucky University Gulf Coast Community College Jerri L. Ledford has been writing, editing, and fact-checking tech stories since 1994. Her work has appeared in Computerworld, PC Magazine, Information Today, and many others. lifewire's fact checking process Tweet Share Email Tweet Share Email Internet & Security Mobile Phones Internet & Security Computers & Tablets Smart Life Home Theater & Entertainment Software & Apps Social Media Streaming Gaming Two recent reports highlight that attackers are increasingly going after the weakest link in the security chain: people.Experts believe the industry should introduce processes to make people adhere to security best practices.Proper training can turn device owners into the strongest defenders against attackers. 400tmax / Getty Images Many people fail to appreciate the extent of sensitive information in their smartphones and believe that these portable devices are inherently more secure than PCs, according to recent reports. While listing the top issues plaguing smartphones, reports from Zimperium and Cyble both indicate that no amount of built-in security is enough to prevent attackers from compromising a device if the owner doesn’t take steps to secure it. "The main challenge, I find, is that users fail to make a personal connection of these security best practices to their own personal lives," Avishai Avivi, CISO at SafeBreach, told Lifewire over email. "Without understanding that they have a personal stake in making their devices secure, this will continue to be an issue." Mobile Threats Nasser Fattah, North America Steering Committee Chair at Shared Assessments, told Lifewire over email that attackers go after smartphones because they provide a very big attack surface and offer unique attack vectors, including SMS phishing, or smishing. Furthermore, regular device owners are targeted because they are easy to manipulate. To compromise software, there needs to be an unidentified or unresolved flaw in code, but click-and-bait social engineering tactics are evergreen, Chris Goettl, VP of Product Management at Ivanti, told Lifewire via email. "Without understanding that they have a personal stake in making their devices secure, this will continue to be an issue." The Zimperium report notes that less than half (42%) of the people applied high-priority fixes within two days from their release, 28% required up to a week, while 20% take as much as two weeks to patch their smartphones. "End users, in general, do not like updates. They often disrupt their work (or play) activities, can change behavior on their device, and could even cause issues that can be a longer inconvenience," opined Goettl. The Cyble report mentioned a new mobile trojan that steals two-factor authentication (2FA) codes and is spread through a fake McAfee app. The researchers fathom the malicious app is distributed via sources other than the Google Play Store, which is something people should never use, and asks for too many permissions, which should never be granted. Pete Chestna, CISO of North America at Checkmarx, believes that it’s us who will always be the weakest link in security. He believes that devices and apps need to protect and heal themselves or be otherwise resilient to harm since most people can't be bothered. In his experience, people are aware of the security best practices for things like passwords but choose to ignore them. "Users don't buy based on security. They don't use [it] based on security. They certainly don't ever think about security until bad things have happened to them personally. Even after a negative event, their memories are short," observed Chestna. Device Owners Can Be Allies Atul Payapilly, Founder of Verifiably, looks at it from a different point of view. Reading the reports reminds him of the often reported AWS security incidents, he told Lifewire over email. In these instances, AWS was working as designed, and the breaches were actually the result of bad permissions set by the folks using the platform. Eventually, AWS changed the experience of the configuration to help people define the correct permissions. This resonates with Rajiv Pimplaskar, CEO of Dispersive Networks. "Users are focused on choice, convenience, and productivity, and it is the cybersecurity industry's responsibility to educate, as well as create an environment of absolute security, without compromising user experience." The industry should understand that most of us aren’t security people, and we can't be expected to understand the theoretical risks and implications of failing to install an update, believes Erez Yalon, VP of Security Research at Checkmarx. "If users can submit a very simple password, they will do that. If software can be used although it was not updated, it will be used," Yalon shared with Lifewire over email. id-work / Getty Images Goettl builds on this and believes that an effective strategy could be to restrict access from non-compliant devices. For instance, a jailbroken device, or one that has a known bad application, or is running a version of the OS that is known to be exposed, can all be used as triggers to restrict access until the owner corrects the security faux pas. Avivi believes that while device vendors and software developers can do a lot to help minimize what the user will ultimately be exposed to, there would never be a silver bullet or a technology that can truly replace wetware. "The person that may click on the malicious link that made it past all the automated security controls is the same one that can report it and avoid getting impacted by a zero-day or a technology blind spot," said Avivi. Was this page helpful? Thanks for letting us know! Get the Latest Tech News Delivered Every Day Email Address Sign up There was an error. Please try again. You're in! Thanks for signing up. There was an error. Please try again. Thank you for signing up! Tell us why! Other Not enough details Hard to understand Submit