At least once a week – usually after pounding on my iPhone to access a business document, texting a family member, and calling a colleague on another continent, all in a matter of minutes – I’m reminded how complete the shift to mobile computing has been. It’s hard imagining what it was like working without our trusted smartphones and tablets.
Mobile devices are indeed critical to getting work done in 2017. They are also treasure troves of personal and business data. And there are threat actors out there who want to get their hands on that data. We learned long ago to secure our PCs from cyberattacks, but it’s puzzling why most businesses still fail to secure employees’ mobile devices. So we set out to explore how businesses view mobile security risks, what solutions they currently deploy to protect against mobile cyberattacks, and their plans to improve their organizations’ mobile threat defense systems.
We learned that security professionals are generally unprepared and not confident that their organizations can prevent a breach to employees’ mobile devices, according to a recently published research report sponsored by Check Point. In addition, those polled indicated that they expect the frequency and sophistication of mobile cyberattacks to grow.
The startling news comes from a study conducted by Dimensional Research, entitled “The Growing Threat of Mobile Device Security Breaches,” which maintains that businesses fail to allocate appropriate resources to protect against mobile attacks, despite believing that the risk of data loss is equal to or greater than PCs, and potentially just as costly.
“The research consistently revealed that the overall focus and preparedness of security for mobile devices is severely lacking,” said David Gehringer, principal of Dimensional Research. “Security professionals identified the risk of mobile devices, but focus and resources assignment seem to be waiting for actual catastrophes to validate the need to properly prepare their defenses. It’s unfortunate that so many companies have not learned from the past and are doomed to repeat wasted costs and the customer outrage of being breached.”
A total of 410 participants with security leadership or frontline responsibilities took part in the global survey. Participants represented the full spectrum of job responsibilities and company sizes. Key takeaways from the survey, include:
- Nearly two-thirds (64%) of enterprise security professionals doubt their organizations can prevent a breach to employees’ mobile devices
- 20% of businesses experienced a mobile breach, while 24% don’t know, or can’t tell, whether they’ve had one
- More than half (51%) believe the risk of mobile data loss is equal to or greater than PCs
- 94% expect the frequency of mobile attacks to increase
- 79% say the difficulty of securing mobile devices will grow
- Over 1/3 of companies fail to adequately secure mobile devices, with only 38% employing a dedicated mobile security solution, other than standard enterprise mobile management (EMM) platforms
Visibility: The key to mobile security
According to Dimensional’s survey, 56% of companies have not (yet) experienced a security breach through a mobile device. Meanwhile 20% of all companies had a mobile breach, and 24% of the survey’s respondents didn’t know.
It’s virtually impossible for companies to tell whether their mobile deployment is secure without visibility into the devices’ operating systems, apps, and network connections. Only an advanced mobile security solution provides that essential visibility. Yet only 38% of the survey’s respondents said they have deployed such a solution in their environment. Time and again threats are identified when Check Point performs mobile security check-ups at customer sites. For example, when a check-up was performed at Samsung Research America, it was learned that 5% of 1,200 devices inspected were infected, either with credential stealers, keyloggers, unauthorized root kits, and mobile remote access Trojans, providing unlimited access to infected smartphones and tablets.
In light of these findings, it is still surprising to learn that 24% of respondents were unaware whether their organization’s mobile devices had been compromised. As the Dimensional report underscores, we must “keep in mind that many of the recent and most highly-publicized security breaches revealed that the hacked businesses were oblivious to the breach for quite some time.”
No confidence in preventing attacks to mobile
Perhaps the most worrisome news of the Dimensional research is that 64% of security professionals are not confident that their organizations can prevent a mobile cyberattack. Respondents indicated a wide range of successful attacks against their organizations, including mobile malware, SMS phishing, network attacks, intercepted calls and text messages, and credential theft.
With attackers constantly evolving their tactics, sharing best practices with other criminals, and staging attacks at alarming frequencies, it’s no wonder that security professionals say they’re challenged securing mobile devices in their businesses.
Mobile data loss greater than PCs
More than half (51%) of the survey’s respondents believe the risk of mobile data loss is equal to or greater than PCs.
The reasons for this stem from the perception that mobile devices are more easily lost or stolen, according to the survey’s respondents. Moreover, with news during the last 18 months of mobile malware campaigns such as XcodeGhost, HummingBad, Gooligan, as well as the revelation in March of the CIA’s Vault 7 hack in WikiLeaks, it is clear that mobile devices are the weakest link in the enterprise IT infrastructure.
As frequency of attacks grows, security is more difficult
With 94% of the survey’s participants expecting the frequency of mobile attacks to increase and 79% stating that securing mobile devices will grow more difficult as result, it is surprising that only 62% of companies will dedicate more resources to mobile cybersecurity. Only 58% of the respondents indicated that their company will allocate more resources to mitigating mobile threats.
Given the lack of confidence today and the growing threats in the future, it appears that mobile device security will become an increasingly vulnerable spot in most companies’ cybersecurity arsenal. More than one-third of companies fail to adequately secure mobile devices and only 38% of the companies have deployed a mobile threat defense solution. It’s alarming that more than half the organizations surveyed only use enterprise mobile management platforms to protect devices against advanced cyberattacks.
While some of the survey data indicates that a mobile breach may cost less than other kinds of cyberattacks, the difference is not that dramatic, with more than 20% of the participants saying a mobile breach could cost a company more than $500,000. It’s clear that the survey’s respondents consider the data lost from a potential mobile cyberattack highly valuable. That perceived value of enterprise data from a mobile attack is obviously shared by hackers, who have clearly increased their focus of attacks on mobile devices.
To learn more about these findings, download a copy “The Growing Threat of Mobile Device Security Breaches” by Dimensional Research.