One in three organizations suffered data breaches due to mobile devices

New Verizon report shows a big gap between organizations' mobile security risk concerns and mobile security best practices they implement.

mobile security / unlocked data connections
Thinkstock
Current Job Listings

The number of security incidents involving mobile devices has increased over the past year, but companies are not protecting their mobile assets as well as they do other systems. One in three organizations admitted to suffering a compromise due to a mobile device, according to a new study by Verizon that surveyed 671 professionals in charge of mobile device procurement and management in their organizations. This represents a 5 percent increase compared to the results of a similar survey last year.

"Mobile devices are prone to many of the same attacks as other devices," Verizon said in its Mobile Security Index 2019 report. "Most phishing attacks and badly coded sites can affect them; mobile users might even be more vulnerable. And there are also mobile-specific exploits—like malicious apps and rogue wireless hotspots."

Companies not meeting bare minimum mobile security standards

"And yet again this year, we found that many companies are failing to protect their mobile devices," the company said. "And we’re not talking about some almost-impossible-to-achieve gold standard. We're talking about companies failing to meet even a basic level of preparedness."

This is not due to a lack of awareness, as over 80 percent of respondents said their companies were at risk from mobile threats and 69 said those risks have increased over the past year. At the same time over two-thirds of respondents said they are less confident in the security of their organization's mobile devices compared to other systems.

Almost half of respondents admitted that their organizations sacrificed mobile security to get the job done faster and nearly half of those that cut corners experienced a mobile-related security compromise. Meanwhile, less than 25 percent of those that didn't sacrifice security for speed and profit had a mobile-related compromise.

Around 60 percent of incidents were described as major and 40 percent as major with lasting repercussions. Over half resulted in the loss of data and 58 percent also led to the compromise of other devices.

Mobile security perception doesn't match reality

Verizon found that there is a perception gap because over 80 percent of organizations believe their precautions are either effective of very effective but less than 12 percent had actually implemented all four basic protections: encrypting data on public networks, changing default passwords, regularly testing security systems and restricting access to data on a "need to know" basis.

Eight in ten companies were also confident that they would be able to spot a problem quickly, but the study revealed that in 63 percent of cases, compromises were reported by a third party such as a customer, partner or law enforcement. That's not surprising giving that only two in three organizations had deployed at least one solution that would help with detection of security incidents: mobile endpoint security, data loss prevention or security information and event management (SIEM).

"Far more respondents said that they plan to implement each of the mobile security protections mentioned above in the next 12 months than had done so in the previous 12," Verizon said. "We could interpret this as more companies having realized the need to improve their defenses and starting to take action. But a comparison with last year’s stats suggests that this is more likely to be over confidence. While they may hope, and even plan, to introduce additional protections, many will fail to do so."

Organizations were most concerned with mobile-related threats posed by current or former employees, followed by those posed by organized cybercriminal groups, hacktivists, state-sponsored actors and partners. However, Verizon found that less than a fifth of organizations had comprehensive acceptable use policies (AUPs) that covered mobile device use.

The Verizon report includes a table with recommendations for improving the security of mobile devices in the enterprise. It is broken down in types of actions like assessing, protecting, detecting and responding and the level of sophistication: baseline, better and best.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.