Businesses are leaving holes in their cybersecurity thanks to mobile devices, and experts say it’s time to take the risk seriously.
According to the latest research from Verizon, while companies increasingly lean on smartphones and tablets, many haven’t taken even the most basic mobile cybersecurity precautions to protect their data and core systems.
What’s more, the Mobile Security Index 2018 found almost a third of businesses knowingly sacrifice mobile security to improve speed to market and business performance, leaving themselves and their customers vulnerable to attacks.
It’s partly a problem of perspective, according to Terry Bradley, chief technology officer at PLEX Solutions in Colorado Springs.
“People are still not aware that they have a computer in their pocket — they’re still thinking of it as a phone,” he said. “No one’s surprised when their laptop or their desktop picks up a virus, but people are still not thinking about that mobile device having all the computing power their computer had just a very short time ago.”
Another issue is the haphazard way mobile device usage has exploded in many businesses.
“It’s a big blind spot … because a lot of organizations have adopted ‘bring-your-own-device’ policies, which saves them from having to pay for mobile devices for all their employees — but by the same token they lose some control by allowing employees to access the corporate network with their personally owned devices,” Bradley said.
Matt Montgomery, director at Verizon Wireless, said implementing better mobile security can be challenging “but companies are knowingly putting speed and profits before mobile security and that is a large part of the problem.
“Insufficient mobile security absolutely puts client data at risk along with company data,” he added in an email. “With personal device use and working remotely as the new normal, any data a company uses or has access to is potentially attainable to a hacker.
“The risk level that executives are taking by insufficiently securing mobile devices is quite high, especially for companies that work with personal or medical data who could run into compliance issues given regulatory requirements such as HIPAA,” Montgomery said.
Bradley said bringing mobile devices under the control of IT and security teams is “a tricky organizational problem” because the smartphones and tablets are usually owned by employees.
“The best practice for security is to put some sort of mobile device management — MDM software — on the smartphone,” he said. “But users are reluctant to have corporate IT controlling their device. There’s a fear that they may be spied upon, and there’s a fear because a lot of these MDM products will allow you to remotely wipe the device.”
Weighing the costs of mobile cybersecurity against risks and benefits becomes “a complicated equation” too, Bradley said. For a system administrator or an executive with vast access to corporate information, there’s a compelling case for giving them locked-down corporate devices.
But for lower-level staff members, “the numbers just don’t seem to be in favor of spending money on security,” he said.
That’s where the “detection” part of the “prevention, detection and response” cybersecurity equation comes into play, Bradley said.
For many smaller businesses full prevention is too expensive, but “if you have mobile devices on your network, do network security monitoring,” Bradley said. “Watch the traffic in and out of your network. Most of these cybercrime websites or domains — or even entire countries — are pretty well known and you can get network security monitoring that will watch for connections going out to suspicious locations around the world.”
For the report, Verizon commissioned an independent research company to survey more than 600 professionals involved in managing mobile devices for their organizations, which covered multiple industries and ranged from as few as 250 employees to more than 10,000.
Other key findings:
• Most businesses say the risks are serious and growing, but the “overwhelming majority” could not say their mobile device security measures are very effective.
• Companies that had sacrificed security were 2.4 times as likely to have suffered data loss or downtime as a result of a mobile-related security incident.
• Only 33 percent of organizations use mobile endpoint security and less than half (47 percent) use device encryption.
• Fundamental cybersecurity practices are being ignored and 62 percent of respondents said a lack of understanding of threats and solutions are a barrier to mobile security.