The Verizon Mobile Security Index (MSI) 2022 Report reveals that close to half (45%) of the companies surveyed suffered a security compromise involving a mobile device in the past 12 months that led to the loss of data, system downtime or other negative outcomes. This number shows a 22% increase over last year.
Of those respondents, 73% described the impact of the attack as major, and over two-fifths (42%) said that it had lasting repercussions. That’s also up from Verizon’s previous report, where less than half of incidents were described as major, and just 28% were said to have had lasting repercussions.
Companies with a global presence were even more likely to have been affected by mobile compromise. More than three in five (61%) had been hit, compared to 43% of organizations with only a local presence.
“For businesses–regardless of industry, size, or location on a map–downtime is money lost. Compromised data is trust lost, and those moments, although not insurmountable, are tough to rebound from,” said Sampath Sowmyanarayan, CEO, Verizon Business.
“Companies need to dedicate time and budget on their security architecture, especially when it comes to off-premise devices: otherwise they are leaving themselves vulnerable to cyber-threat actors,” Sowmyanarayan warns.
The fifth annual Verizon MSI 2022 findings are based on an independent survey of 632 senior professionals responsible for security strategy, policy and management. Among the respondents, 80% are from the US, 14% from the UK, and 6% from Australia. The survey included both large enterprises and small companies.
The shift to remote work sees a major rise in cybercrime
The COVID-19 pandemic had a dramatic impact on working practices, most notably by accelerating a transition to remote work.
With the increase in the number of devices and employees working remotely, security teams face an uphill battle, so much so that 79% of organizations surveyed agreed that remote working had adversely affected their cybersecurity and increased the burden on security teams. In fact, almost two in three chief information security officers (CISOs) across all regions agree that remote work makes their organization more vulnerable to cyberattack, as per the Verizon MSI 2022 Report.
Companies are more reliant on mobile devices, and that can pose a significant risk
Mobile devices have become critical to business operations, and “a smaller screen no longer means less powerful,” the report explains.
Driven by increased capabilities and the growth in cloud-based applications and seamless, ubiquitous connectivity, corporate executives now have access to far more information and tools on their mobile devices than they did in the past. This has resulted in organizations becoming dependent on mobile devices more than ever. However, mobile devices are susceptible to vulnerabilities, raising concerns for companies seeking to protect themselves from cyberattacks.
According to the report, 53% of mobile devices have access to more sensitive data than a year ago. “Many employees now have access to much of the same data—customer lists, banking details, employees’ personal data, billing information, etc.—and systems—messaging, enterprise resource planning (ERP), etc.—via their mobile devices as they would sitting at a desktop in the office. This means that the compromise of a mobile device can now pose a significant risk to customer data, intellectual property and core systems,” cautions the survey report.
Given that the severity of cyberattacks has grown, and a lot more companies are facing major and lasting consequences, over three-quarters of respondents (77%) said that their cybersecurity budget had increased in the previous 12 months—that’s up from 65% in the previous edition of this report.
With 85% of companies surveyed stating that they now have a defined or dedicated budget for mobile security, there has never been a more pressing need to prevent opportunistic cybercrime exploits by applying these funds to cyberthreat mitigation.
Bring your own device (BYOD) and security problems
Of those surveyed, 41% allow employees to use their own phones/tablets to access corporate systems and data (BYOD). Another 41% are considering doing so.
The number of organizations that said that they allow employees to use their own devices dropped since the previous edition of this report. But in that survey report, over half of the 70% of companies with a BYOD policy said that they had adopted it during the pandemic lockdown. According to the report, it seems likely that some companies will have done so only as a temporary measure and cancelled it because it didn’t suit their culture, caused security problems or proved to be unpopular.
“Securing BYOD devices can be considerably more difficult than securing company owned ones with a mobile device management (MDM) solution in place,” states the report. A key challenge of securing BYOD devices is getting users to follow company policy on a device that is their own property.
Employees that receive an incentive in the form of a stipend may be more willing to accept their employer setting rules about how they use devices and permit intrusions to their privacy. Over two-thirds (68%) of the survey respondents whose company had a BYOD program mentioned that this included such a payment.
As companies embrace remote and hybrid work, a Zero Trust security approach can help combat security threats while giving employees the flexibility to work from anywhere and on any device they choose—whether it’s their smartphone, laptop, desktop or tablet.
Source: Verizon Mobile Security Index 2022 Report
Zero Trust Network Access (ZTNA) can be an effective alternative to the traditional approach to network security. ZTNA provides only access (secure remote access) to applications and services the user has been explicitly granted. Unlike network security that typically involves using a virtual private network (VPN) to connect workers from remote locations and implicitly trusts these connections, in a ZTNA, trust is never implicit, and remote users get seamless and secure access to private applications without ever placing them on the network or exposing the applications to the internet.
Lack of security training and remote work guidance
The report highlights a startling finding: many companies set high expectations on their employees but don’t give them adequate security training to meet those standards. While 44% of companies surveyed do not offer employees security training on a regular basis, 51% do not provide employees security training when their working arrangements change (for example, when the employees start working from home).
Despite the massive shift to remote work during the pandemic, less than half (47%) of the surveyed companies have issued guidance on maintaining privacy when working remotely (for instance, when working in a shared apartment), and 36% have not put forth guidelines on what are suitable locations for remote working (for example, home is okay, coffee shop isn’t).
Mobile security threats: people, phishing, apps, malware, devices and insecure networks
The human element continues to drive mobile security breaches. Over four-fifths (82%) of breaches analysed for the 2022 Verizon Data Breach Investigations Report (DBIR) involved the human element. “Whether it is the use of stolen credentials, phishing, misuse or simply an error, people continue to play a very large role in security incidents and breaches alike,” Verizon noted.
The Verizon MSI 2022 report further added that over two-fifths (44%) of companies that suffered a mobile-related security breach noted user behaviour as a contributing factor. Verizon’s experts weren’t surprised to hear that nearly two-thirds (66%) of respondents said that they had come under pressure to sacrifice mobile-device security “to get the job done,” and 79% of those (52% of all respondents) had succumbed to that pressure (sacrificed mobile-device security).
Phishing attacks are on the rise, and 18% of phishing email clicks come from a mobile device, according to the 2022 Verizon DBIR findings. The design of applications on mobile devices can, unintentionally, make phishing harder to detect, assisting attackers to get past people’s normal defences. Cybercriminals continue to produce convincing phishing sites and adeptly design campaigns to take advantage of mobile users facing numerous distractions.
Zimperium conducted an analysis of more than 500,000 phishing websites over a two-and-a-half-year period. Zimperium’s 2022 Global Mobile Threat Report found that the share of sites that specifically targeted mobile devices and delivered content tailored for the mobile format rose from just under half in the first quarter of 2019 to over three-quarters during the last quarter of 2021.
Source: Zimperium, 2022 Global Mobile Threat Report
The proliferation of apps and the resultant increase in mobile app downloads, including those downloaded from official stores, can pose a significant threat. According to the Verizon MSI 2022 Report, nearly half of those that had suffered a mobile-related security breach said that app threats were a contributing factor. Granting applications access to the camera, microphone, photos, location data and other device functions can present a substantial security risk.
Cyber attackers are not only designing phishing campaigns targeting mobile devices, but they are also building malware specifically for mobile devices. As per Jamf’s Security 360: Annual Trends Report 2022, the percentage of organizations that experienced the installation of malware on a remote device doubled in 2021, going from 3% to 6%. Malware comes in many forms, but in recent years ransomware has become the most common.
With the quantity and variety of devices (smartphones, laptops, tablets, hybrids, Chromebooks and wearables) on the rise, the danger of lost or missing devices is growing. Most organizations aren’t particularly worried about this because the risk of lost or stolen devices is comparatively easy to mitigate. Security measures like device encryption and remote wipe are now standard with most types of user devices and MDM. But that doesn’t mean that companies, or their employees, are using them. This may explain why 46% of surveyed companies that had suffered a mobile-related security breach said that device-based threats (i.e., those occurring because of lost or stolen devices) were a contributing factor. To mitigate this risk, full disk encryption or whole-disk encryption and PIN security code if activated as a precaution will mean that even if a device is lost or stolen, the data it holds will be worthless to the attacker.
Insecure networks remain a serious threat to mobile device security. Over half (52%) of those that had suffered a mobile-related security breach said that network threats were a contributing factor. Insecure networks heighten organizational risks and can lead to cyber thieves intercepting traffic through man-in-the-middle (MITM) attacks or luring employees into using rogue Wi-Fi hotspots or access points.
The Verizon MSI 2022 Report presents a comprehensive picture of the threats that affect mobile devices and will help treasury, finance and security professionals assess their organization’s mobile security environment and calibrate their defences. It also reiterates the importance of regular employee security training to mitigate current and future mobile security risks.
Like this item? Get our Weekly Update newsletter. Subscribe today