A third of organisations suffer data breaches due to mobile devices
New Verizon report shows a big gap between organisations' mobile security risk concerns and practices they implement
6 March 2019 | 0
The number of security incidents involving mobile devices has increased over the past year, but companies are not protecting their mobile assets as well as they do other systems. One in three organisations admitted to suffering a compromise due to a mobile device, according to a new study by Verizon that surveyed 671 professionals in charge of mobile device procurement and management in their organisations. This represents a 5% increase compared to the results of a similar survey last year.
“Mobile devices are prone to many of the same attacks as other devices,” Verizon said in its Mobile Security Index 2019 report. “Most phishing attacks and badly coded sites can affect them; mobile users might even be more vulnerable. And there are also mobile-specific exploits—like malicious apps and rogue wireless hotspots.”
Minimum mobile security standards
“And yet again this year, we found that many companies are failing to protect their mobile devices,” the company said. “And we’re not talking about some almost-impossible-to-achieve gold standard. We’re talking about companies failing to meet even a basic level of preparedness.”
This is not due to a lack of awareness, as over 80% of respondents said their companies were at risk from mobile threats and 69 said those risks have increased over the past year. At the same time over two-thirds of respondents said they are less confident in the security of their organisation’s mobile devices compared to other systems.
Almost half of respondents admitted that their organisations sacrificed mobile security to get the job done faster and nearly half of those that cut corners experienced a mobile-related security compromise. Meanwhile, less than 25% of those that didn’t sacrifice security for speed and profit had a mobile-related compromise.
Around 60% of incidents were described as major and 40% as major with lasting repercussions. Over half resulted in the loss of data and 58% also led to the compromise of other devices.
Perception doesn’t match reality
Verizon found that there is a perception gap because over 80% of organisations believe their precautions are either effective of very effective but less than 12% had actually implemented all four basic protections: encrypting data on public networks, changing default passwords, regularly testing security systems and restricting access to data on a “need to know” basis.
Eight in 10 companies were also confident that they would be able to spot a problem quickly, but the study revealed that in 63% of cases, compromises were reported by a third party such as a customer, partner or law enforcement. That’s not surprising giving that only two in three organisations had deployed at least one solution that would help with detection of security incidents: mobile endpoint security, data loss prevention or security information and event management (SIEM).
“Far more respondents said that they plan to implement each of the mobile security protections mentioned above in the next 12 months than had done so in the previous 12,” Verizon said. “We could interpret this as more companies having realised the need to improve their defences and starting to take action. But a comparison with last year’s stats suggests that this is more likely to be over confidence. While they may hope, and even plan, to introduce additional protections, many will fail to do so.”
Organisations were most concerned with mobile-related threats posed by current or former employees, followed by those posed by organised cybercriminal groups, hacktivists, state-sponsored actors and partners. However, Verizon found that less than a fifth of organisations had comprehensive acceptable use policies (AUPs) that covered mobile device use.
The Verizon report includes a table with recommendations for improving the security of mobile devices in the enterprise. It is broken down in types of actions like assessing, protecting, detecting and responding and the level of sophistication: baseline, better and best.
IDG News Service