Although nearly seven out of 10 companies experienced a mobile compromise, calling the impact «major,» nearly half still sacrificed security, according to a Verizon study.
Despite the increase in the number of companies affected by mobile attacks that have led to compromises, four out of 10 companies have sacrificed security to meet their profit targets or to avoid «cumbersome» security processes, according to the third annual index. mobile security. 2020 from Verizon.
It showed that 43% of organizations sacrificed security. The most typical reasons why companies are at risk, such as lack of budget and IT expertise, lagged behind in areas such as convenience (62%), convenience (52%) and profitability targets (46%). The lack of budgetary and IT expertise was cited by only 27% and 26% of respondents, respectively.
«In fact, the study found that 39% of respondents said they had a commitment to mobile security. Sixty-six percent of organizations that experienced a compromise called the impact «greater,» and 55 percent said the compromise they experienced had lasting repercussions, «Verizon said.
Verizon Mobile Security
The findings are based on a survey of more than 850 IT professionals responsible for purchasing, managing and protecting mobile and IoT devices. In addition to information from Verizon analysts, the report includes real-world data from security and management companies, including Asavie, IBM, Lookout, MobileIron, NetMotion, Netskope, Symantec, VMware and Wandera.
This year, Verizon added questions to find out why companies are consciously exposed to risk. The need to meet the objectives was the most common reason, either due to time (62%) or money (46%).
Despite the increase in the number of companies affected by mobile attacks that caused violations, Verizon data shows a reduction in the proportion saying that they deliberately compromised security (from 48% in fiscal year 2019 to 43% in fiscal year 2020).
«It seems that many companies still see mobile security as an impediment to their business goals, rather than a business imperative in itself,» Verizon said. But attitudes are changing. 87% of respondents expressed concern that a breach of mobile device security could have a lasting impact on customer loyalty, and 81% said that registering a company’s data confidentiality will be a key differentiator of the brand in the future. «.
Dionisio Zumerle, senior research director at Gartner, said today’s business has a number of security challenges; for many, it is simply not possible to approach everything at once.
«For a variety of reasons, today’s mobile devices are less of a problem than many others,» Zumerle said in an email. «Among other factors, the operating system is stronger and mobile devices have less access to critical business data and infrastructure.»
The Verizon report found that 39% of organizations acknowledged that they have a compromise on security related to a mobile device, compared to 33% in the 2019 report and 27% in 2018. Of those who compromised, 66% said that the impact was greater and 36% said it had lasting repercussions.
Twenty percent of organizations that experienced a mobile compromise said an insecure or insecure Wi-Fi hotspot was involved.
«Although the risks of public Wi-Fi are becoming more widely known, convenience is beyond policy, even common sense, for many users. Some organizations are trying to avoid this by implementing specific Wi-Fi policies, but inevitably the rules they will be violated, «Verizon said.
According to MobileIron, 7% of protected devices have detected a human attack (MitM) in the last year.
According to Wandera, employees connect to an average of 24 Wi-Fi hotspots per week. The company also found that 7% of devices find an access point that has a low to medium severity risk, and 2% consider one classified as high risk, one that is known to be affected by MitM. or a protocol attack like SSL Strip.
Generally, the average mobile device connects to two or three unsecured Wi-Fi hotspots per day. The most common environments are shopping centers, hotels and transport, including airports.
Despite the risks, less than half (42%) of organizations say they prohibit employees from using public Wi-Fi to perform work-related tasks.
Verizon Mobile Security
«Open Wi-Fi networks are convenient, but they are as open to users as they are to attackers,» Zermerle said. «There are several ways to do this, but in essence an attacker can perform a MitM attack, where he can see everything a user sends over the network. This includes account credentials and confidential information, among other data.
«There are several ways to respond,» Zermerle continued, «such as using appropriate transport security (for example, a certificate-set VPN) or a BAT solution … that can identify MitM attacks.»
All vertical industries were included in the survey results, including production (where 41% experienced a mobile compromise) and the public sector (39%). And companies of all sizes were affected, from small and medium-sized companies (28%) to those with more than 500 employees (44%).
At the same time, 80% of organizations said that mobile devices will be their main means of accessing cloud services within five years.
Mobile end users were the main vector of the attacks, Verizon found. In fact, even among defense companies, including mobile device management (MDM) systems and at least some form of email filtering, many users continue to receive and click phishing links.
The main problem is that the tools for mobile application management and mobile application management are just that: mainly management tools and not detection and remediation tools, according to Phil Hochmuth, IDC’s vice president of research for enterprise mobility.
«This is where the Mobile Threat Management / Mobile Threat Defense (MTM / MTD) tools come in,» he said in an e-mail. «Sometimes they are called (wrongly) ‘iOS / Android antimalware.’ [Ellos] They search for more than malicious applications and software on your device. These tools also look for harmful Wi-Fi activities as well as application-level threats. «
Verizon Mobile Security
Of the users who fell for a phishing attack, most were repeat victims. The data show that more than half (53%) of users who clicked on a phishing link clicked on more than one.
Hochmuth agreed that the biggest threat at the mobile app level is phishing, “or using the communication channel in any app — not just email or SMS apps — to cheat and deceive users.
«Almost all apps have some kind of built-in messaging feature, and attackers use all of that to reach their targets – social apps and websites, etc.,» Hochmuth said. «Although the industry has not seen the extremely costly effects of malware and attacks on PC operating systems against mobile devices, smartphones are now the main access device for most internet users and are ubiquitous in companies. ”.
While mobile operating systems are generally more difficult to compromise, they are a «major attack» and a «growing» attack vector, Hochmuth said.
If companies do not become more proactive in addressing mobile threats, governments and industry bodies could force their hands, according to the Verizon report.
In the United States, several states, from Hawaii to Rhode Island, have initiated these types of measures. Four other states, including Texas and Louisiana, have set up working groups to investigate the issue, Verizon said.
While only 33% of companies say regulatory sanctions are a worrying consequence, it could be because governments have given them enough time to prepare. Sixty-seven percent said more regulations led them to spend more on security in general.
Zumerle, from Gartner, said IT security leaders who want to deal with mobile threats should start with security hygiene: device vulnerability management (removal of vulnerable devices that cannot be fixed) and the verification application (do not allow malicious applications).
«In the long run, we see mobile security solutions like BAT converging and becoming part of a unified endpoint security solution,» Zumerle said.
In fact, over the past year and a half, suppliers have promoted a marriage between Unified Endpoint Management (EMU) and security tools, providing a more comprehensive strategy to protect all of the company’s endpoints, according to Nick McQuire, vice president. Perspectives.
Artificial intelligence and machine learning tools are at the heart of some of the latest «zero confidence» frameworks that providers implement, which are more about detecting threats even when an employee is already connected to a corporate system through via a mobile device.
«A lot [de la detección de amenazas] it has to do with knowing the device, who the user is …, the status of the device and making sure that the user is linked to their credentials and that credentials are related to the device, «said Bill Harrod, CTO of MobileIron Federal. the possibility of assessing the risk in all those places. «