About Half of Companies Put Profit Before Security: Verizon Mobile Security Study

New York based Verizon’s Mobile Security Index 2019, found almost half of organizations are sacrificing mobile security to improve speed to market and profitability (up from nearly a third in 2018).

Verizon’s Mobile Security Index 2019 also found 42% of those in the financial services sector reported suffering a compromise linked to a mobile device, more than any other industry measured, but noted it’s possible that financial services companies are better at identifying when a mobile device was involved.

The finserv industry is also more likely to have some defenses in place, like data loss prevention (46% versus an average of 36%).

Additional index findings specific to financial services companies included: finservs were most likely to say they’d experienced a mobile-related compromise, more than education, healthcare and public sector; 90% said they made changes to their security policies in light of new regulations; the industry topped the list of sectors agreeing with the statement “organizations need to take mobile device security more seriously” (44% strongly agreed, versus 33% across all industries).

Overall, almost half (48%) of respondents said their organization had sacrificed mobile security in the past year. That is up from 32% from last year. Additionally, the index found those sacrificing security were nearly twice as likely to suffer a compromise (46% versus 24%). And the majority (62%) of those affected described the event as “major”.

“Companies are increasingly reliant on mobility as the backbone of their business operations so there needs to be a priority on securing those devices,” TJ Fox, SVP & president business markets with Verizon, said. “The applications on these devices now manage things like supply chain systems, point of sale systems, or customer facing apps. The lack of robust security measures could potentially expose corporate assets, and possibly customer data, to malicious actors.”

Other survey snapshots:

• Eight-three percent of respondents said their organization was at risk of mobile threats, 29% said that it was a significant risk.
• Two thirds of organizations said they are less confident about the security of their mobile assets than other devices.
• Almost half (48%) said they had sacrificed security to “get the job done,” up from 32% last year.
• Eighty-five percent said organizations need to take mobile security more seriously.
• More than 80% admitted using public Wi-Fi, even when prohibited by company policy.
• Forty-three percent said remediating the effects of a mobile-related compromise was “difficult and expensive.”

Fox in the report’s foreword wrote, “It’s been another headline-grabbing 12 months for cybersecurity. There were many large and damaging compromises affecting retailers, airlines and credit rating companies, to name just a few. Thousands of organizations weren’t prepared and had sensitive data stolen, suffered downtime of key systems or were affected in some other way. Something missing from the headlines was a compromise directly attributed to the vulnerability of a mobile device.” Yet Verizon found that the number of companies admitting they’d suffered a compromise in which a mobile device played a role went up from 27% in the 2018 report to 33% this time around. So, asked Fox, “where’s the disconnect/?”

The answer he explained lies in how little is normally made public about major incidents. “Often, attacks will start with phishing, getting an unsuspecting user to click on a malicious link. But that part of the story rarely makes it into print, never mind whether it was actually a tap on a mobile screen rather than the click of a mouse. You could say that none of the biggest breaches have been publicly attributed to mobile vulnerabilities; but a mobile element hasn’t been ruled out either.”

That may change soon. Governments are beginning to intervene to ensure organizations take cybersecurity across all endpoints more seriously. Since the publication of Verizon’s Mobile Security Index 2018, the European Union’s General Data Protection Regulation took effect and the California legislature passed minimum standards for connected device security. More legislation is expected to follow.

“Mobile devices now have access to much of the same valuable corporate data — customer lists, bank details, employee personal data, billing information and much more — as those using fixed connections,” Fox maintained. “The compromise of a mobile device can now be just as great a risk to your customer data, intellectual property and core systems. It’s time to close the chasm between the levels of protection.”

Verizon’s Mobile Security Index 2019 is based on a survey of over 600 professionals involved in buying, managing and securing mobile devices for their organizations. In addition to analysis from Verizon’s experts, the report includes insight and real-world data from security and management companies IBM, Lookout, MobileIron, and Wandera.