Endpoint
2/23/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New Study Shows Mobile Devices The Cause Of Some Data Breaches

A single mobile device infected with malware can cost a victim organization an average of $9,485, according to a Ponemon Institute report.

A new study shows the root cause of many of today’s data breaches is an employee’s mobile device. The findings are in stark contrast to the 2015 Verizon Data Breach Investigation Report that concluded that mobile devices are not yet a preferred vector in data breaches and have a less than 1% infection rate.

The data comes from a Ponemon Institute study commissioned by mobile security firm Lookout. Of the 588 US IT and IT security professionals surveyed who are employed in Global 2000 companies, 67% say they it is certain or likely that their organization had a data breach as a result of employees using their mobile devices to access their company’s sensitive and confidential information.

David Richardson, product manager at Lookout, says “the fact that two-thirds of people have already been breached by mobile [device]” was a surprising finding.

The report also gave a detailed breakdown of the cost of a mobile device data breach: Just one mobile device infected with malware can cost an organization an average of $9,485, according to the study.

Despite a rise in mobile malware and the obvious risk of mobile devices, little evidence to date has emerged suggesting that mobile devices are actually becoming an attack vector. “In short, we aren’t seeing 'mobile phone' as an asset in our breach data set,” says Marc Spitler, senior manager, Verizon Security Research. “We know that malware exists that targets mobile devices, but it may be that individuals are being affected, as we are not seeing it as part of an organizational breach.”

Meanwhile, more studies to the contrary are beginning to emerge.

A study released today from Mobile Iron also found that over 50% of enterprises have at least one non-compliant (jailbroken, rooted, disabled personal identification number (PIN) protection, lost device, out-of-date policies, etc.) device.

According to the Ponemon report, employees also have access to more sensitive company data on their devices than IT is aware of. “When you ask IT what they believe is accessible on mobile devices and when you ask employees, you get very different answers,” Lookout’s Richardson says, adding that there’s an obvious disconnect here.

The survey found significant discrepancies between the data that IT claims employees don’t have access to, and what employees say they can access via mobile devices. Take the question of sensitive company data. Employees say they have more access than IT says they have:  employees’ personal identifiable information (52% of employees vs. 18% of IT security), confidential or classified documents (33% of employees vs. 8% of IT security) and customer records (43% of employees vs. 19% of IT security).

So, is the solution for organizations to decrease the amount of sensitive company data employees have access to on their mobile devices? “I think this is a sort of head-buried-in-the-sand sort of response,” Richardson says to the idea of decreasing employees’ mobile access to data. "The reality is [a mobile device] is a computer … [and] employees will find a way to be productive on mobile. Trying to lock down the data on mobile devices is a losing strategy.”

Larry Ponemon, the report’s author, disagrees. When it comes to the amount of company data employees can access on mobile devices, he says at a minimum there should be real limits. “We should be living more in the virtual world and in the cloud,” he says.

Even so, limiting mobile access is difficult. “You can’t change human behavior, people do what they want to do, and that’s another problem,” he says.

The good news is companies are taking some measures to protect their data, and budgets for mobile security are projected to increase over the next year from 16% to 37% of the IT security budget. More than half of companies surveyed currently implement containerization to manage data accessible on employees’ mobile devices, among other security measures including application blacklist/whitelist (47%), identity management (45%), and mobile device management (40%). However, 43% of respondents say they use none of these security measures.

 “When it comes to mobile, it requires a defense-in-depth strategy,” Richardson says. If you’re doing just one of these things, it’s probably not enough.”

Still, mobile security technology will only get you so far. Ponemon points to the need for employee awareness, “Try to have a policy and some training for the end users about the potential risk,” Ponemon says, adding that “having containerization solutions and MDM tools…the right tools to reduce the risk” posed by mobile devices is important.

 
Emily Johnson is an Associate Editor on UBM America's Content Marketing team. Prior to this role, Emily spent four and a half years in content and marketing roles supporting the UBM America's IT events portfolio. Emily earned her B.A. in English from the University of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2016 | 12:49:48 AM
Lack of self-reporting
The other problem is incident response.

Let's say I'm an employee who has violated company policy by accessing/storing/using company data on my mobile device.

Now let's say I discover my mobile device has become compromised.

Uh-oh.  Do I tell my company?  I don't want to get in trouble.

There are ways to encourage this kind of self-reporting, but -- unfortunately -- most organizations don't do it.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So...are we supposed to be the elves or the reindeer?
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.