Best practices for security have not kept pace with IT teams still treating mobile security separately to overall enterprise security practices, according to US wireless provider Verizon, which warns that mobile devices are the biggest enterprise security threat, but have not been prioritised by the IT teams.
Verizon’s comments come as it publishes its annual, data-driven Verizon Mobile Security Index 2021, detailing the increasing risks and growing impact of mobile security “compromises”.
According to Verizon, cyber security itself has been firmly back on the radar in the recent weeks, with the widespread reports of IT disruption within the Federal Parliament, “which place the public sector under the spotlight, along with financial organisations and Nine’s cyber awakening.”
“The COVID-19 pandemic forced businesses to quickly support remote working practices, often without proper security measures in place,” says Verizon.
“The Verizon Business Mobile Security Index (MSI) 2021 reveals that many businesses may have left themselves vulnerable and open to cyber criminals in the rush to ensure their workforce could operate remotely.”
According to Verizon, forty-nine percent of businesses surveyed stressed that changes made to remote working practices during lockdown adversely affected their company’s cybersecurity.
“Interestingly, even though 40% of businesses surveyed recognised that mobile devices are their company’s biggest IT security threat, 45% of them knowingly sacrificed the security of mobile devices to “get the job done” (e.g., meet a deadline or productivity targets) and nearly a quarter (24%) sacrificed the security of mobile devices to facilitate their response to restrictions put in place due to the pandemic.
“The pandemic caused a global shift in the way organisations operate, many of which ramped up their digital transformation agendas and working models to meet the fast-changing needs of both employees and customers,” said Sampath Sowmyanarayan, Verizon Business.
“While businesses focused their efforts elsewhere, cybercriminals saw a wealth of new opportunities to strike. With the rise of the remote workforce and the spike in mobile device usage, the threat landscape changed, which for organisations, means there is a greater need to hone in on mobile security to protect themselves and those they serve.”
Verizon says the effect of the pandemic on the workforce is going to have a lasting impact.
According to the report, a large majority (70%) of those that had seen remote working grow following the introduction of pandemic restrictions expected it to fall again afterward.
However, seventy-eight percent (78%) said that it would still remain higher than before lockdown. Overall, our respondents said that they expected the number of remote workers to settle at around half (49%).
And the survey reveals that over half of those surveyed (52%) said that small and medium sized businesses are more of a target than larger enterprises but even though this is the case, 59% of small and medium sized businesses had sacrificed security with 22% suffering a mobile compromise.
Seventy-eight percent stated that they should take mobile-device security more seriously.
Of those surveyed, 72% of organisations are worried about device abuse or misuse, and Verizon says part of the problem is that many companies struggle to develop an effective Acceptable Use Policy (AUP), and 57% didn’t have one at all.
Verizon’s report highlights what it says is the important trends on mobile security issues that should be elevated in importance along with cyber security breaches and trends, including:
- People and behaviours – with more than half of companies that experienced a mobile-related security breach attributing it to user behaviour, there is a need for greater user education. For example, there was a 365% increase in phishing attacks, yet very few people (8%) could identify the correct definition of phishing.
- Apps – lack of awareness of best practice for app permissions on business devices, coupled with the high percentage of businesses that do not have an Acceptable Use Policy or have relaxed app permissions, means greater risk of exposure to mobile threats.
- Devices and things – while device and IoT manufacturers continue to improve hardened security, workers reported allowing friends or family to use their work devices. IoT devices are collecting PII, with a significant proportion not using encryption.
- Networks and cloud – very few companies are taking measures to block the use of public WiFi despite the risks, despite more than half of companies that experienced a mobile-related compromise attributing the breaches to insecure connections such as a rogue base station or use of insecure Wi-Fi.