Verizon: Companies will sacrifice mobile security for profitability, convenience
Credit to Author: Lucas Mearian| Date: Tue, 03 Mar 2020 03:00:00 -0800
Despite an increase in the number of companies hit by mobile attacks that led to compromises, four in 10 businesses sacrificed security to meet profit goals or avoid “cumbersome” security processes, according to Verizon’s third annual Mobile Security Index 2020.
It showed that 43% of organizations sacrificed security. More typical reasons for companies exposing themselves to risk, such as lack of budget and IT expertise, trailed “way behind” things such as expediency (62%), convenience (52%) and profitability targets (46%). Lack of budget and IT expertise were only cited by 27% and 26% of respondents, respectively.
“In fact, the study found that 39% of respondents reported having a mobile-security-related compromise. Sixty-six percent of organizations that suffered a compromise called the impact ‘major,’ and 55% said the compromise they experienced had lasting repercussions,” Verizon stated.
The findings are based on a survey of more than 850 IT professionals responsible for buying, managing and securing mobile and IoT devices. In addition to insights from Verizon’s analysts, the report includes real-world data from security and management companies, including Asavie, IBM, Lookout, MobileIron, NetMotion, Netskope, Symantec, VMware and Wandera.
This year, Verizon added questions to find out why companies are knowingly exposing themselves to risks. The need to meet targets was the most commonly stated reason, whether it was time (62%) or money related (46%).
Despite an increase in the number of companies hit by mobile attacks that caused breaches, Verizon’s data does show a reduction in the proportion saying that they had knowingly compromised security (down from 48% in FY2019 to 43% in FY2020).
“It seems that many companies still see mobile security as an impediment to their business objectives rather than a business imperative in itself,” Verizon said. “But attitudes are changing. Eighty-seven percent of respondents said they were concerned that a mobile security breach could have a lasting impact on customer loyalty, and 81% said that a company’s data privacy record will be a key brand differentiator in the future.”
Dionisio Zumerle, a senior director of research at Gartner, said enterprises today have a plethora of security challenges; for many, it is simply not possible to tackle everything at once.
“For a number of reasons, mobile today is a smaller issue than many others,” Zumerle said via email. “Among other factors, the operating system is more hardened, and mobile devices have less access to critical enterprise infrastructure and data.”
The Verizon report found that 39% of organizations admitted to suffering a security compromise involving a mobile device — up from 33% in the 2019 report and 27% in 2018. Of those that suffered a compromise, 66% said the impact was major and 36% said it had lasting repercussions.
Twenty-percent of organizations that suffered a mobile compromise said a rogue or insecure Wi-Fi hotspot was involved.
“Although the risks of public Wi-Fi are becoming well known, convenience trumps policy – even common sense — for many users. Some organizations are trying to prevent this by implementing Wi-Fi-specific policies, but inevitably, rules will be broken,” Verizon said.
According to MobileIron, 7% of protected devices detected a man-in-the-middle (MitM) attack in the past year.
According to Wandera, employees connect to an average of 24 Wi-Fi hotspots per week. The company also found that 7% of devices encounter a hotspot that presents a low-to-medium severity risk, and 2% encounter one rated as a high risk—one known to be affected by MitM, or a protocol attack like SSL Strip.
Overall, the average mobile device connects to two to three insecure Wi-Fi hotspots per day. The most common settings are retail, hospitality and transportation hubs, including airports.
Despite the risks, less than half (42%) of organizations said that they prohibit employees from using public Wi-Fi to perform work-related tasks.
“Open Wi-Fi networks are convenient, but they are as open to users as they are to attackers,” Zermerle said. “There are a number of ways to achieve this, but essentially an attacker can conduct a MitM attack where he can see everything that a user sends over the network. This includes account credentials and confidential information among other data.
“There are a number of ways to respond,” Zermerle continued, “such as using adequate transport security (e.g. a VPN with certificate pinning), or an MTD solution … that can identify MitM attacks.”
All vertical industries were included in the survey results, including manufacturing (where 41% suffered a mobile-related compromise) and the public sector (39%). And companies of all sizes were hit — from small and medium-sized businesses (28%) to those with more than 500 employees (44%).
At the same time, 80% of organizations said mobile will be their primary means of accessing cloud services within five years.
Mobile end users were the primary vector for attacks, Verizon found. In fact, even among companies with defenses in place, including mobile device management (MDM) systems and at least one form of email filtering, many users still received – and clicked on – phishing links.
The main issue is that mobile management and mobile application management tools are just that – primarily management tools and not detection and remediation tools, according to Phil Hochmuth, IDC’s vice president of research for enterprise mobility
“That’s where mobile threat management/mobile threat defense (MTM/MTD) tools come in,” he said via email. “These are sometimes called (mistakenly) ‘iOS/Android antimalware.’ [They] look for more than malicious apps and on-device software. These tools also look for malicious Wi-Fi activity, as well as app-level threats.”
Of the users who fell for a phishing attack, most were repeat victims. More than half (53%) of users that clicked on a phishing link clicked on more than one, the data showed.
Hochmuth agreed the biggest mobile app-level threat is phishing, “or, using the communication channel in any app … not just e-mail or SMS apps … to trick and phish users.
“Almost every app has some form of built-in messaging feature and attackers are using all of these to get at targets – social media apps and websites, etc,” Hochmuth said. “While the industry has not seen the extremely costly effects of malware and targeted attacks on PC operating systems vs. mobile, smartphones are now the primary access device for most Internet users, and are ubiquitous in enterprises.”
While it’s generally harder to compromise mobile OSes, they do represent a “huge attack” and “growing” attack vector, Hochmuth said.
If companies don’t become more proactive in addressing mobile threats, governments and industry bodies may well force their hands, Verizon’s report said.
Following the passage of the EU’s General Data Protection Regulation (GDPR) in 2016 and California’s Consumer Privacy Act in 2018 (they went into effect in May 2018 and January 2020, respectively), there has been increased momentum behind comprehensive privacy legislation.
In the U.S., several states, from Hawaii to Rhode Island, have initiated such measures. Four other states, including Texas and Louisiana, have set up task forces to look into the issue, Verizon noted.
While only 33% of companies said regulatory penalties are a consequence they are worried about, that could be because governments have given them adequate time to prepare. Sixty-seven percent said that increased regulation had driven them to spend more on security as a whole.
Gartner’s Zumerle said IT security leaders who want to address mobile threats should start from a security hygiene standpoint: device vulnerability management (removing vulnerable, unpatchable devices) and application vetting (disallowing leaky and malicious apps).
“In the long term, we see mobile security solutions such as MTD converging and being part of a unified endpoint security solution,” Zumerle said.
Indeed, over the past year and a half, vendors have touted a marriage between unified endpoint management (UEM) and security tools, offering a more comprehensive strategy for securing all enterprise endpoints, according to Nick McQuire, a senior vice president of research at CCS Insights.
Artificial intelligence and machine learning tools are at the core of some of the latest “zero-trust” frameworks being deployed by vendors, which is more about threat detection even while an employee is already logged into a corporate system via a mobile device.
“A lot of [threat detection] has to do with knowing what the device is, who the user is…, the health of the device and making sure the user is tied to their credential and that credential is tied to the device,” said Bill Harrod, federal CTO at MobileIron. “Then it’s about being able to evaluate the risk in all those places.”