It's the same issue that Windows and Mac OS X environments face -- users that turn off their brains when confronted with access requests -- but worse, he notes, because when using mobile devices, users are even more willing to say yes than they are on their PCs, where users are already too often victims of being fooled by malware.
I've criticized security vendors for exaggerating security concerns on mobile devices to boost sales of their wares several times now. The fact is, mobile devices as a whole are safer than PCs. (Android and Nokia's fading Symbian OS are the exceptions, Villumsen notes.) And I'm skeptical about much of the client-side security software out there; the Windows experience should make it clear that such antimalware tools are always playing catchup and at best reduce the malware inflections on your systems; they don't keep you safe. Yet they are marketed as if they do, lulling people into a sense of false security.
BullGuard is working on a whitelist app that would use a green/yellow/alert system as a front end to the Android Market, similar to how modern browsers color-code sites' URLs based on the confidence they have in the sites' legitimacy. Villemsen says this technique does reduce downloads of dangerous apps and media files, but he acknowledges that mobile customers show little interest in buying such a service, at least today. Although Google really should take some measures to vet what is in the Android Market from a security perspective, the reality is that the problem lies with users -- and technology can only reduce the problem, not eliminate it (as Mac users have discovered recently).
Stop letting users act like helpless babies
I've also urged multiple times that IT start treating users as shared owners of at least end-user technology -- such as mobile devices, SaaS, and social networking -- rather than continue to treat users as babies who must have everything done for them. That infantilizing behavior also contributes to the "always click OK" mentality. IT and the industry at large has trained users to believe "IT will fix my computer and the bank will reverse the charges from my phished accounts."
That's the real problem. The premise of consumerized IT -- of "shadow IT" in the business units becoming an adjunct of formal IT -- is that with freedom comes responsibility. You can use an iPad or Droid at work if it complies with IT policies -- and if you use it responsibly. Research from Aberdeen Group, Forrester Research, and others show that this shared ownership coupled with shared responsibility is the safest and most cost-effective strategy in a consumerized IT world.