Mobile devices proved vulnerable during pandemic lockdowns
According to Verizon, nearly half of businesses sacrificed mobile device security best practices to “get the job done.”
According to the Verizon Business Mobile Security Index 2021, the massive shift to remote work caused by the COVID-19 pandemic left many businesses knowingly vulnerable to attacks from employees’ mobile devices. Of the more than 850 businesses surveyed for the report, 40% said mobile devices are their company’s biggest IT security threat, yet 45% still sacrificed the security of mobile devices to enhance useability, meeting business needs or meeting project deadlines or productivity targets.
Nearly one-in-four (24%) said mobile device security was sacrificed in response to restrictions put in place by the pandemic. And most IT departments (75%) succumbed to pressure from the business to lower the bar on device security.
“While businesses focused their efforts elsewhere, cybercriminals saw a wealth of new opportunities to strike,” Sampath Sowmyanarayan, chief revenue officer, Verizon Business, said in a statement. “With the rise of the remote workforce and the spike in mobile device usage, the threat landscape changed, which for organizations, means there is a greater need to hone in on mobile security to protect themselves and those they serve.”
Fewer companies reported mobile compromise
Even with lax security overall however, fewer companies reported a mobile device related compromise in 2020 compared to 2019, the report said.
“This is the fourth year that Verizon has published this report,” the report said. “And this time the percentage of companies that admitted to having suﬀered a mobile-related security compromise is the lowest we’ve seen—just 23%. But hold the Champagne. Nearly one-in-four companies suﬀering a mobile device attack is not cause for celebration.”
Companies may not yet know they were compromised, and hackers, constantly upping their game by improving tactics, methods and tools, may just be one step ahead of corporate security teams, the report said.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Mobile devices are more at risk today for a number of reasons:
- They are used more often and for more business activities
- They can be stolen or lost
- They are subject to electronic and physical eavesdropping
Mobile devices are more important than ever
On a 10-point scale of importance to their businesses, most respondents ranked mobile devices an eight or higher.
“Many employees now have access to much of the same valuable corporate data … via their mobile devices as Commuters who sit in the office,” the report said. “This means that the compromise of a mobile device can now pose just as great a risk to your customer data, intellectual property and core systems.”
It was just enterprise companies that were impacted. Well over half of respondents (59%) said small and medium-sized businesses (SMBs) had forgone mobile device security. As a result, almost a quarter (22%) of SMBs experienced a mobile compromise. Of those, over half said the impact was “major.” Going forward, 78% said they “should take mobile-device security more seriously.”
Most respondents (72%) said they are worried about device abuse or misuse going forward because they do not have effective acceptable use policies in place, while 57% said they didn’t have one at all. Half of respondents said that risks from mobile devices are growing faster than other areas and technologies. And most respondents (54%) said they had experienced a compromise due to user behavior.
Continuation of remote work driving security concerns
With most respondents stating that almost half (49%) of their workforce will remain remote going forward, mobile device security issues will likely remain a concern for some time.
It also doesn’t help that the vast majority of companies (91%) do not practice the four most basic security best practices:
- Changing default or vendor-supplied passwords
- Encrypt sensitive data in transit
- Restricting access to data on a “need-to-know” basis
- Regularly testing security systems and processes
“Despite the risks and numerous indications throughout our survey that companies have insufficient defenses in place … companies were confident that they would spot compromises and misuse quickly,” the report said. “This isn’t new; we’ve seen similar confidence in our previous surveys. Nor is the fact that despite this, companies realize that they have more to do. In our latest survey, 81% of respondents agreed that organizations need to take the security of mobile devices more seriously.”
About the index
The Verizon Mobile Security Index 2021 findings are based on an independent survey of 856 businesses across Australia, the U.S. and the U.K. Surveyed professionals are responsible for the buying, managing and security of mobile and Internet of Things devices for their companies.