New Verizon report shows a big gap between organizations' mobile security risk concerns and mobile security best practices they implement. Credit: Thinkstock The number of security incidents involving mobile devices has increased over the past year, but companies are not protecting their mobile assets as well as they do other systems. One in three organizations admitted to suffering a compromise due to a mobile device, according to a new study by Verizon that surveyed 671 professionals in charge of mobile device procurement and management in their organizations. This represents a 5 percent increase compared to the results of a similar survey last year.“Mobile devices are prone to many of the same attacks as other devices,” Verizon said in its Mobile Security Index 2019 report. “Most phishing attacks and badly coded sites can affect them; mobile users might even be more vulnerable. And there are also mobile-specific exploits—like malicious apps and rogue wireless hotspots.”Companies not meeting bare minimum mobile security standards“And yet again this year, we found that many companies are failing to protect their mobile devices,” the company said. “And we’re not talking about some almost-impossible-to-achieve gold standard. We’re talking about companies failing to meet even a basic level of preparedness.”This is not due to a lack of awareness, as over 80 percent of respondents said their companies were at risk from mobile threats and 69 said those risks have increased over the past year. At the same time over two-thirds of respondents said they are less confident in the security of their organization’s mobile devices compared to other systems. Almost half of respondents admitted that their organizations sacrificed mobile security to get the job done faster and nearly half of those that cut corners experienced a mobile-related security compromise. Meanwhile, less than 25 percent of those that didn’t sacrifice security for speed and profit had a mobile-related compromise.Around 60 percent of incidents were described as major and 40 percent as major with lasting repercussions. Over half resulted in the loss of data and 58 percent also led to the compromise of other devices. Mobile security perception doesn’t match realityVerizon found that there is a perception gap because over 80 percent of organizations believe their precautions are either effective of very effective but less than 12 percent had actually implemented all four basic protections: encrypting data on public networks, changing default passwords, regularly testing security systems and restricting access to data on a “need to know” basis.Eight in ten companies were also confident that they would be able to spot a problem quickly, but the study revealed that in 63 percent of cases, compromises were reported by a third party such as a customer, partner or law enforcement. That’s not surprising giving that only two in three organizations had deployed at least one solution that would help with detection of security incidents: mobile endpoint security, data loss prevention or security information and event management (SIEM).“Far more respondents said that they plan to implement each of the mobile security protections mentioned above in the next 12 months than had done so in the previous 12,” Verizon said. “We could interpret this as more companies having realized the need to improve their defenses and starting to take action. But a comparison with last year’s stats suggests that this is more likely to be over confidence. While they may hope, and even plan, to introduce additional protections, many will fail to do so.”Organizations were most concerned with mobile-related threats posed by current or former employees, followed by those posed by organized cybercriminal groups, hacktivists, state-sponsored actors and partners. However, Verizon found that less than a fifth of organizations had comprehensive acceptable use policies (AUPs) that covered mobile device use.The Verizon report includes a table with recommendations for improving the security of mobile devices in the enterprise. It is broken down in types of actions like assessing, protecting, detecting and responding and the level of sophistication: baseline, better and best. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe