Employees are expected — if not encouraged — to work as flexibly as possible, which is why laptops are increasingly being given to staff instead of desktop computers. Working from home or on the road, either with company-owned devices — including smart phones and tablets — or personal devices is the norm.
But a study released this month by Verizon Communications suggests many companies haven’t taken even the most basic precautions to protect their data and core systems. In a survey of 600 mobile professionals involved in procuring and managing mobile devices for their organizations, almost a third (32 per cent) admitted to having sacrificed mobile security to improve expediency and/or business performance. Over a quarter (27 per cent) said that during the past year their company had experienced a security incident resulting in data loss or system downtime where mobile devices played a key role.
Asked if they had experienced a security incident that was directly attributable to a mobile device over a quarter (27 per cent) admitted to having experienced an incident that resulted in data loss or system downtime during the past year. And 40 per cent of those (or 11 per cent of the total) said that the incident—or the most serious one if they had experienced multiple—had been major with lasting repercussions.
Verizon blames much of the problem with failing to follow basic cyber security protocols. The company argues there are four basic security policies all organizations should follow for any device that connects to a corporate network: Changing all default passwords, encrypting data sent over public networks, restricting access on a need-to-know basis and regularly testing security systems. Doing all of them is best By that yardstick there are a lot of failing companies: Only 14 per cent of respondents said their organization does all four. Twenty-nine per cent said their organization does three, 55 per cent said theirs does four and 89 per cent said their organization only does one of the four.
“It’s alarming that nearly two fifths (39 per cent) of organizations are still failing to change all default passwords—one of the most basic security best practices,” says the report. It notes Verizon’s 2017 Data Breach Incident Report found that credentials management was a factor in 81 per cent of all hacking-related breaches.In addition, over half (51 per cent) said their organization doesn’t have a policy regarding public Wi-Fi (it was neither officially sanctioned nor prohibited). Over half (55 per cent) of those that don’t have a policy on the use of public Wi-Fi said they don’t always encrypt sensitive data when it’s transmitted across open, public networks.
In addition, 41 per cent said employees in their company use unscreened apps downloaded from the Internet.
The vast majority of respondents (86 per cent) said their organization trains employees on mobile device security. Yet 59 per cent of those (half of all companies) only provide that training when the employee joins the company or is issued a new device
Still, respondents had a relatively high estimation of how prepared their mobile users are to being attacked. Two-thirds of them agreed their current readiness as “quite effective” with another 14 per cent saying their current degree of protection is “very effective.”
Of those who admitted that their organization had suffered a major incident, 24 per cent said described their defenses as “very effective”—13 percentage points higher than the rest. “Presumably,” says the report, “this means that they have improved their defenses in light of the incident. This is supported by the fact that 71 per cent experiencing an incident said that their mobile security budget had increased in the past year—and 25 per cent said that the increase was significant.”
When asked about barriers to mobile security respondents didn’t cite one largely over others. Lack of C-level support, user awareness, threat level perceived as low, lack of budget and lack of skills/resources all scored between 14 and 23 per cent.
As for what CISOs should be doing about all this, the report has a chart with Baseline, Better and Best recommendations for devices, applications, people and networks (including a separate section for IoT devices.)