Verizon’s annual mobile security report, one of the industry’s major bellwethers for emerging security trends, paints a picture of a landscape increasingly dependent on mobile devices to get work done even as these devices become a leading IT security risk. This pattern has been driven primarily by the pandemic conditions, with more work done on devices outside of the office and through cloud services that have caused burdensome new workloads for security teams.
“The pandemic caused a global shift in the way organizations operate, many of which ramped up their digital transformation agendas and working models to meet the fast-changing needs of both employees and customers,” said Sampath Sowmyanarayan, Chief Revenue Officer of Verizon Business. “While businesses focused their efforts elsewhere, cybercriminals saw a wealth of new opportunities to strike. With the rise of the remote workforce and the spike in mobile device usage, the threat landscape changed, which for organizations, means there is a greater need to hone in on mobile security to protect themselves and those they serve.”
Mobile security moves to the forefront as less-secure devices connect to business networks
Mobile security is becoming a leading concern for organizations in no small part due to necessity, but the Verizon report also opens by pointing out that it is becoming a key brand differentiator; 78% of the companies surveyed feel that data privacy is important to their relationships with customers going forward.
But to impress customers and trade on their record, companies need to actually keep their houses secure first. The pandemic made this a bigger challenge than it has ever been. Companies have increased reliance on remote work and cloud services to keep things functioning in a “socially distanced” environment, and a broader profile of business responsibilities are now handled on mobile devices. Unfortunately, mobile security is much tougher to manage than desktop and laptop security; phones and tablets are easier to lose and steal, and are at greater risk when it comes to certain types of cyber attacks that rely on an end user’s failure to notice small details (such as phishing attempts).
Survey respondents indicate that the current problem isn’t a lack of awareness of or care for mobile security, but a simple inability to keep up with the workload created by the sudden shift to remote work models. 24% of respondents said that mobile device security had to be sacrificed to some degree to facilitate pandemic transition plans. This is in spite of 85% viewing mobile devices as being at least as vulnerable as other IT systems, and 40% saying that mobile security is now the company’s biggest risk. Saryu Nayyar, CEO of Gurucul, points out that most organizations have not yet adapted to this need: “Most IT departments are not structured to be mobilized. Sending a member of your IT staff out into the residences of employees to set up remote access, the availability of network library shares and FTP up/downloads is largely out of the question. Sadly, there are also no controls in place that would prevent kids from working on dad’s computer or losing his cellphone.”
In keeping with the results of a number of other surveys conducted in the past year, Verizon’s respondents seem to overwhelmingly agree that remote work is here to stay even as the pandemic recedes. 78% are expecting more work-from-home even after Covid-19 is no longer an issue, and 75% see reliance on cloud-based apps increasing. However, this means new security pressures and potential reconfigurations of operations. 76% said that they felt pressured to sacrifice mobile security to achieve company goals (and 75% of these said they actually did it), 83% are concerned about the growth of “shadow IT” primarily driven by work-from-home setups, and 58% say they are struggling with reconciling different mobile demands from across departments of the business.
Mobile compromises down during pandemic, but risks are growing
Surprisingly, mobile security compromises were actually down as compared to any of the three previous years. However, the number is still not good (23%) considering nearly a quarter of organizations can expect mobile device breaches. The report also notes that companies were more likely to not detect and report breaches this past year due to IT and security teams being overwhelmed, so that number may not be accurate.
What can be said for certain is that mobile risk is already high and still growing. 50% of respondents feel that mobile device risk is growing faster than any other category, and 70% said that it had measurably increased for their company during the pandemic.
The report asked respondents exactly what corners their organizations were cutting. Slightly under half are regularly testing all security systems and processes. 60% do not always encrypt sensitive data when sending it over public networks. 61% do not always change default or vendor-supplied passwords. In spite of this, and the increased workload and security challenges, the overwhelming majority (about 80%) report a high level of confidence in their ability to spot compromised employee devices.
The habits and practices of remote workers are also examined in detail in Verizon’s report. For example, the rise of “shadow IT” mobile security issues can very likely be traced back to the fact that 89% of workers reporting having a connectivity issue or some sort of poor user experience while trying to work remotely during the pandemic. 97% also reported increased use of managed device for personal business, even though company policy often forbids it. And about 30% of organizations are allowing employees to use their own personal device for work.
Given these trends, the report posits that phones and tablets need to be treated as primary devices given that they often have access to sensitive and valuable corporate data that was once reserved for computers on the company network. These devices may not only be carrying confidential business information, but can also be used as a stepping stone for greater access to the network. George McGregor, VP of Marketing for Approov, points out that this has emerged as a particular issue for certain industries during the pandemic: “A good example is in healthcare, where medical professionals used to access the medical and administrative applications they needed from within a trusted hospital network with trusted devices (owned and managed by the hospital), but with the explosion of virtual healthcare they are now accessing medical apps, medical devices and accessing sensitive patient data from apps on their own mobile devices while on the move or at home. This changing access profile means that mobile apps and their new APIs create a new attack surface for bad actors.”