Dirk Sigurdson, director of engineering for Mobilisafe at Rapid7, said that doesn't mean they are safe. "Devices are typically required to be updated by employees, since patches can't be pushed by organizations. Because of this, a high percentage of devices are running out-of-date firmware with OS-level vulnerabilities," he said.
But Rogers said the major problem is that developers need to be better trained in how to develop secure software. "In most cases the tools and libraries they use are not designed to help them make the right security decisions, resulting in very basic flaws which have serious security consequences," he said.
The result is that users have a tougher time spotting classic mobile threats. The Blue Coat report notes that, on mobile devices, URLs are not fully displayed, that users are taught to expect mobile websites to look different than the desktop versions, and that mobile versions of websites are often developed and hosted by third parties. Given this, users are conditioned to going to strange URLs.
The report noted the problem is worse on Android devices because of "the unregulated apps market and diversity of Android-based devices."
Eric Maiwald, research vice president, security and risk management at Gartner, called it an "ecosystem problem," noting that Apple's iOS devices are deployed, "within an ecosystem that includes a single, central, app store."
The user is not always helpless, however. Some of the problem is because convenience trumps security. "If logging into a VPN is cumbersome or provides poor performance, a user will find another way to send out documents. That method won't always be secure or even compliant with regulations," the report said.
Changing that behavior is difficult to impossible, Maiwald said. "You can provide incentives and disincentives, but without some drastic actions, users can still behave in ways that circumvent security controls in many cases."
Rogers said some of the responsibility for that lies with developers, who he said"should not just consider the technical security of an application but make security as friendly and seamless as possible from the user's perspective."
Murthy said the key is to deploy security software that blocks threats at the source. She said mobile users should expect attacks to increase, particularly with the use of malnets.
"We're not seeing a lot of mobile exploit kits yet, but when they put them together, the infrastructure is in place," she said, adding that malnets can become active and then shut down to escape notice, "almost like sleeper cells."
Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.