A significant number of organizations are putting their data at risk as they favor speed over security, according to a report commissioned by Verizon.
About a third of the 600 respondents surveyed said they trade mobile security for performance, while nearly every organization -- 93 percent -- recognized their company’s mobile devices were the source of an increasing threat.
“It’s expected that end users are willing to sacrifice security for convenience when it comes to their smartphones, but it’s highly concerning that mobility managers don’t know better,” said David Richardson, director of product at mobile security company Lookout. Richardson’s firm recently conducted a similar survey and reached many of the same conclusions.
“Just over half of U.S. federal IT managers require mobile devices to have a pin or passcode and restrict employees from downloading unapproved apps to their mobile device used for work,” he said. “So, perhaps unsurprisingly, more than 60 percent reported a security incident involving a mobile device.”
Many of the security threats covered by the Verizon report related to employees using their own devices for business. “And 39% of organizations that allow employees to use their own devices for business purposes (known as BYOD) ranked this as their top concern,” according to the report.
“The company has no control in managing the devices, which, of course, brings many unknown risks and vulnerabilities into our environment,” said Lisa Love, president of L Squared, a cybersecurity consulting firm. “We have recourse to monitor usage on behalf of the organization. But, it’s hard to enforce this on devices that are not owned and managed by the organization.”
Surprisingly few companies are remotely administering their firms’ devices. The report advises companies to employ mobile device management (MDM) and enterprise mobility management (EMM), but nearly less than a third of the companies were using these methods.
Particularly vulnerable, according to the report, are the public and healthcare sectors. About a third of both reported downtime or data loss caused by an incident with mobile security.
“For healthcare and the public sector, maintaining business operations while protecting sensitive data is mission critical,” said Matt Montgomery, a managing director with Verizon Wireless. “Because of the nature of what they do and the information they’re protecting, these industries have a target on their backs.”
Potentially more troubling, according to the report, is how few companies are taking even simple measures to protect mobile devices despite the threats.
“Only one in seven organizations surveyed (14%) had implemented the most basic cybersecurity practices,” according to the report. “Less than two fifths (39%) change all default passwords; only 38% use strong two-factor authentication on their mobile devices; and, only 59% restrict which apps employees can download from the Internet to their mobile devices.”
Another potential problem occurs when employees don’t keep their phones’ operating systems current, opening their organizations to known mobile security threats that have already been patched.
“Requiring employees to run the latest software updates is always difficult to regulate,” says Richard Henderson, global security strategist at Absolute Software. “So companies end up taking on more risk. Of course, there are many devices, typically Android-based, where patches will never be made available due to the age of the device or the abandonment of updates from either the manufacturer or the carrier. It's incredibly difficult to ask employees to continually replace their hardware for a newer device that is currently supported.”
The report advised, at minimum, basic security measures: changing default passwords, encrypting data on public networks, restricting access to a need-to-know basis, and regularly testing the organization's’ security policies.
"It's up to the CIO/CISO to determine how risky it is to allow non-corporate devices on the network and what measures can be put in place to control that risk,” Henderson said. “This lenient attitude can create an unprotected entrance to the corporate network via mobile devices.”