The use of mobile devices by companies jumped sharply in 2020 as many employees were told to work from home. But a recent Verizon survey suggests companies are still failing to follow what it says are four basic mobile security protections.
Only nine per cent of respondents said their firm followed all four suggested security measures. By comparison, on average 12 per cent of firms said they followed what Verizon calls basic security in the previous three years.
“Despite not even having some of the most basic precautions in place, most respondents thought that any security or misuse issues would be spotted quickly,” the authors of the report added.
The numbers are in the fourth annual Verizon Mobile Security Index report*, released this week. This year the communications provider surveyed 876 people in the U.S., Australia and the U.K. Respondents were responsible for buying, managing and securing mobile devices like smartphones and laptops and even smart building systems. [Registration required]
The four basic mobile security policies chosen by Verizon are:
- Always change default/vendor-supplied passwords.
- Always encrypt sensitive data when sent across open, public networks.
- Access to corporate data is restricted on a “need to know” basis.
- Security systems and processes are regularly tested.
Other interesting figures from the report include:
- 43 per cent said in the past year they’d sacrificed the security of mobile devices to “get the job done.” That was roughly in line with the previous two years. Almost half said the reason was dealing with the pandemic.
- 23 per cent of respondents said their firm had experienced a security compromise involving mobile/IoT devices. That was the lowest in four years. But, the report said, that high a number “is not cause for celebration.”
- Of those that had experienced a mobile-related compromise 49 per cent said that user behaviour was a contributing factor. This included falling for phishing attacks, installing
unsanctioned apps or making unintentional errors. - 50 per cent of respondents thought mobile device risks were growing faster than others.
- 49 per cent said that changes during pandemic lockdown conditions affected mobile security for the worse.
- 33 per cent of respondents said that it wasn’t possible to enable all the employees to work from home that they wanted to due to security or compliance issues.
- 40 per cent of respondents thought mobile devices are their organization’s biggest IT security threat.
“The pandemic caused a global shift in the way organizations operate, many of which ramped up their digital transformation agendas and working models to meet the fast-changing needs of both employees and customers,” Sampath Sowmyanarayan, chief revenue officer at Verizon Business, said in a statement with the release of the report.
“While businesses focused their efforts elsewhere, cybercriminals saw a wealth of new opportunities to strike. With the rise of the remote workforce and the spike in mobile device usage, the threat landscape changed, which for organizations, means there is a greater need to hone in on mobile security to protect themselves and those they serve.”
Of the 134 respondents whose firms suffered a mobile-related security compromise, 23 per cent said they directly lost business as a result of the incident. Half suffered downtime or lost productivity, roughly 35 per cent suffered damage to the firm’s reputation and roughly 30 per cent had to pay a regulatory fine.
The report includes advice from the U.S. National Institute of Standards and Technology for securing mobile devices.
Verizon recommends CISOs consider adopting a “zero-trust network access” (ZTNA) security framework. Resources are hidden and only accessible through a trust broker (such as multifactor authentication and endpoint device management). Even when a user has obtained access to one resource, they can’t even “see” other resources.
It also recommends the adoption of a secure access service edge (SASE) a decentralized architecture that integrates network and security services into a single, distributed,
cloud-centric solution that protects all traffic, applications and users. It encompasses ZTNA, cloud access security brokers and data loss prevention.