Mobile Security Index 2020<\/a>.<\/p>\nIt showed that 43% of organizations sacrificed security.\u00a0More typical reasons for companies exposing themselves to risk, such as lack of budget and IT expertise, trailed \u201cway behind\u201d things such as expediency (62%), convenience (52%) and \u00a0profitability targets (46%). Lack of budget and IT expertise were only cited by 27% and 26% of respondents, respectively.<\/p>\n
\u201cIn fact, the study found that 39% of respondents reported having a mobile-security-related compromise. Sixty-six percent of organizations that suffered a compromise called the impact \u2018major,\u2019 and 55% said the compromise they experienced had lasting repercussions,\u201d Verizon stated.<\/p>\n
The findings are based on a survey of more than 850 IT professionals responsible for buying, managing and securing mobile and IoT devices. In addition to insights from Verizon\u2019s analysts, the report includes real-world data from security and management companies, including Asavie, IBM, Lookout, MobileIron, NetMotion, Netskope, Symantec, VMware and Wandera.<\/p>\n
This year, Verizon added questions to find out why companies are knowingly exposing themselves to risks.\u00a0The need to meet targets was the most commonly stated reason, whether it was time (62%) or money related (46%).<\/p>\n
Despite an increase in the number of companies hit by mobile attacks that caused breaches, Verizon\u2019s data does show a reduction in the proportion saying that they had knowingly compromised security (down from 48% in FY2019 to 43% in FY2020).<\/p>\n
\u201cIt seems that many companies still see mobile security as an impediment to their business objectives rather than a business imperative in itself,\u201d Verizon said. \u201cBut attitudes are changing. Eighty-seven percent of respondents said they were concerned that a mobile security breach could have a lasting impact on customer loyalty, and 81% said that a company\u2019s data privacy record will be a key brand differentiator in the future.\u201d<\/p>\n
Dionisio Zumerle, a senior director of research at Gartner, said enterprises today have a plethora of security challenges; for many, it is simply not possible to tackle everything at once.<\/p>\n
“For a number of reasons, mobile today is a smaller issue than many others,” Zumerle said via email. “Among other factors, the operating system is more hardened, and mobile devices have less access to critical enterprise infrastructure and data.”<\/p>\n
The Verizon report found that 39% of organizations admitted to suffering a security compromise involving a mobile device \u2014 up from 33% in the 2019 report and 27% in 2018. Of those that suffered a compromise, 66% said the impact was major and 36% said it had lasting repercussions.<\/p>\n
Twenty-percent of organizations that suffered a mobile compromise said a rogue or insecure Wi-Fi hotspot was involved.<\/p>\n
“Although the risks of public Wi-Fi are becoming well known, convenience trumps policy \u2013 even common sense \u2014 for many users. Some organizations are trying to prevent this by implementing Wi-Fi-specific policies, but inevitably, rules will be broken,” Verizon said.<\/p>\n
According to MobileIron, 7% of protected devices detected a man-in-the-middle (MitM) attack in the past year.<\/p>\n
According to Wandera, employees connect to an average of 24 Wi-Fi hotspots per week. The company also found that 7% of devices encounter a hotspot that presents a low-to-medium severity risk, and 2% encounter one rated as a high risk\u2014one known to be affected by MitM, or a protocol attack like SSL Strip.<\/p>\n
Overall, the average mobile device connects to two to three insecure Wi-Fi hotspots per day. The most common settings are retail, hospitality and transportation hubs, including airports.\u00a0<\/p>\n
Despite the risks, less than half (42%) of organizations said that they prohibit employees from using public Wi-Fi to perform work-related tasks.<\/p>\n
“Open Wi-Fi networks are convenient, but they are as open to users as they are to attackers,” Zermerle said. “There are a number of ways to achieve this, but essentially an attacker can conduct a MitM attack where he can see everything that a user sends over the network. This includes account credentials and confidential information among other data.<\/p>\n
“There are a number of ways to respond,”\u00a0Zermerle continued, “such as using adequate transport security (e.g. a VPN with certificate pinning), or an MTD solution … \u00a0that can identify MitM attacks.”<\/p>\n
All vertical industries were included in the survey results, including manufacturing (where 41% suffered a mobile-related compromise) and the public sector (39%). And companies of all sizes were hit \u2014 from small and medium-sized businesses (28%) to those with more than 500 employees (44%).<\/p>\n
At the same time, 80% of organizations said mobile will be their primary means of accessing cloud services within five years.\u00a0<\/p>\n
Mobile end users were the primary vector for attacks, Verizon found. In fact, even among companies with defenses in place, including mobile device management (MDM) systems and at least one form of email filtering, many users still received \u2013 and clicked on \u2013 phishing links.<\/p>\n
The main issue is that mobile management and mobile application management tools are just that \u2013 primarily management tools and not detection and remediation tools, according to Phil Hochmuth, IDC\u2019s vice president of research for enterprise mobility<\/p>\n
\u201cThat\u2019s where mobile threat management\/mobile threat defense (MTM\/MTD) tools come in,\u201d he said via email. \u201cThese are sometimes called (mistakenly) \u2018iOS\/Android antimalware.’ [They] look for more than malicious apps and on-device software. These tools also look for malicious Wi-Fi activity, as well as app-level threats.\u201d<\/p>\n
Of the users who fell for a phishing attack, most were repeat victims. More than half (53%) of users that clicked on a phishing link clicked on more than one, the data showed.<\/p>\n
Hochmuth agreed the biggest mobile app-level threat is phishing, \u201cor, using the communication channel in any app \u2026 not just e-mail or SMS apps \u2026 to trick and phish users.<\/p>\n
\u201cAlmost every app has some form of built-in messaging feature and attackers are using all of these to get at targets \u2013 social media apps and websites, etc,\u201d Hochmuth said. \u201cWhile the industry has not seen the extremely costly effects of malware and targeted attacks on PC operating systems vs. mobile, smartphones are now the primary access device for most Internet users, and are ubiquitous in enterprises.\u201d<\/p>\n
While it’s generally harder to compromise mobile OSes, they do represent a \u201chuge attack\u201d and \u201cgrowing\u201d attack vector, Hochmuth said.<\/p>\n
If companies don\u2019t become more proactive in addressing mobile threats, governments and industry bodies may well force their hands, Verizon\u2019s report said.<\/p>\n
Following the passage of the EU\u2019s General Data Protection Regulation (GDPR) in 2016 and California\u2019s Consumer Privacy Act in 2018 (they went into effect in May 2018 and January 2020, respectively), there has been increased momentum behind comprehensive privacy legislation.<\/p>\n
In the U.S., several states, from Hawaii to Rhode Island, have initiated such measures. Four other states, including Texas and Louisiana, have set up task forces to look into the issue, Verizon noted.<\/p>\n
While only 33% of companies said regulatory penalties are a consequence they are worried about, that could be because governments have given them adequate time to prepare. Sixty-seven percent said that increased regulation had driven them to spend more on security as a whole.<\/p>\n
Gartner’s Zumerle said IT security leaders who want to address mobile threats should start from a security hygiene standpoint: device vulnerability management (removing vulnerable, unpatchable devices) and application vetting (disallowing leaky and malicious apps).<\/p>\n
“In the long term, we see mobile security solutions such as MTD converging and being part of a unified endpoint security solution,” Zumerle said.<\/p>\n
Indeed, over the past year and a half, vendors have touted a marriage between unified endpoint management (UEM) and security tools<\/a>, offering a more comprehensive strategy for securing all enterprise endpoints, according to Nick McQuire, a senior vice president of research at CCS Insights.<\/p>\nArtificial intelligence and machine learning tools are at the core of some of the latest “zero-trust” frameworks being deployed by vendors, which is more about threat detection even while an employee is already logged into a corporate system via a mobile device.<\/p>\n
\u201cA lot of [threat detection] has to do with knowing what the device is, who the user is\u2026, the health of the device and making sure the user is tied to their credential and that credential is tied to the device,\u201d said Bill Harrod, federal CTO at MobileIron. \u201cThen it\u2019s about being able to evaluate the risk in all those places.\u201d<\/p>\n
http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"![](\"https:\/\/images.idgesg.net\/images\/article\/2018\/04\/security_mobile_unlocked_data_connections_thinkstock_816843954-100755111-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Lucas Mearian| Date: Tue, 03 Mar 2020 03:00:00 -0800<\/strong><\/p>\n\n