The ESET survey shows that children today are becoming more technologically independent at a younger age. They tend to have a mobile phone and their own email account by the time they are ten years old – and will have opened a social networking account such as Facebook, Bebo or Twitter, by the time they are eleven years old. The problem is that parents are not keeping up with the issues. For example, 36% of parents don’t believe that mobile phones can be affected – or infected – by viruses; and a further 34% are unsure.
ESET senior research fellow David Harley believes it is symptomatic of a general unawareness of security at home – most home computers are delivered with anti-virus pre-installed. “It doesn't seem to me that adults are necessarily sufficiently aware of their own vulnerability in online contexts, so it's not surprising if they don't have sufficient understanding of the devices their children use and often own.”
The whole problem is exacerbated by today’s children often being more tech-savvy but less security-savvy than their parents. “Young people,” he explained to Infosecurity, “don’t have the life experiences – many of them bad – that tend to instill a certain amount of skepticism and resistance to social engineering in much older generations.” That resilience, he added, “is unfortunately, by no means universal. I've become all too aware in recent years that even the simple landline is a happy hunting ground for scammers who are delighted to make use of the naivete of the very young and, sometimes, the very mature.”
Harley also suspects that part of the problem is that current security thinking focuses more on adults “since they're the ones with the credit cards, or the access to workplace data of interest to criminals”; and not sufficiently on the attacks targeting youngsters – cyber-bullying, misuse of social media by pedophiles and others, scams based on stealing phone credit and so on.
However, Harley does not believe that the solution to the problem is in new legislation (whether primary such as the Cybersecurity Act and Communications Bill, or secondary via executive orders in the US or pressure on ISPs to impose parental controls in the UK). “In the end,” he said, “teaching young people online 'hygiene' is going to be at least as effective as trying to legislate bad actors out of existence by imposing impossible requirements on service providers.”
Nevertheless, lack of security on children’s phones and tablets can have security implications beyond the children themselves. “In many instances,” Harley told Infosecurity, “the corporate perimeter doesn't stop at the firewall, but extends right into the employee's home. Shared home devices and networks have a potential for theft and damage outside the home that I'm sure even corporate security administrators often don't think about.”