Endpoint
2/23/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New Study Shows Mobile Devices The Cause Of Some Data Breaches

A single mobile device infected with malware can cost a victim organization an average of $9,485, according to a Ponemon Institute report.

A new study shows the root cause of many of today’s data breaches is an employee’s mobile device. The findings are in stark contrast to the 2015 Verizon Data Breach Investigation Report that concluded that mobile devices are not yet a preferred vector in data breaches and have a less than 1% infection rate.

The data comes from a Ponemon Institute study commissioned by mobile security firm Lookout. Of the 588 US IT and IT security professionals surveyed who are employed in Global 2000 companies, 67% say they it is certain or likely that their organization had a data breach as a result of employees using their mobile devices to access their company’s sensitive and confidential information.

David Richardson, product manager at Lookout, says “the fact that two-thirds of people have already been breached by mobile [device]” was a surprising finding.

The report also gave a detailed breakdown of the cost of a mobile device data breach: Just one mobile device infected with malware can cost an organization an average of $9,485, according to the study.

Despite a rise in mobile malware and the obvious risk of mobile devices, little evidence to date has emerged suggesting that mobile devices are actually becoming an attack vector. “In short, we aren’t seeing 'mobile phone' as an asset in our breach data set,” says Marc Spitler, senior manager, Verizon Security Research. “We know that malware exists that targets mobile devices, but it may be that individuals are being affected, as we are not seeing it as part of an organizational breach.”

Meanwhile, more studies to the contrary are beginning to emerge.

A study released today from Mobile Iron also found that over 50% of enterprises have at least one non-compliant (jailbroken, rooted, disabled personal identification number (PIN) protection, lost device, out-of-date policies, etc.) device.

According to the Ponemon report, employees also have access to more sensitive company data on their devices than IT is aware of. “When you ask IT what they believe is accessible on mobile devices and when you ask employees, you get very different answers,” Lookout’s Richardson says, adding that there’s an obvious disconnect here.

The survey found significant discrepancies between the data that IT claims employees don’t have access to, and what employees say they can access via mobile devices. Take the question of sensitive company data. Employees say they have more access than IT says they have:  employees’ personal identifiable information (52% of employees vs. 18% of IT security), confidential or classified documents (33% of employees vs. 8% of IT security) and customer records (43% of employees vs. 19% of IT security).

So, is the solution for organizations to decrease the amount of sensitive company data employees have access to on their mobile devices? “I think this is a sort of head-buried-in-the-sand sort of response,” Richardson says to the idea of decreasing employees’ mobile access to data. "The reality is [a mobile device] is a computer … [and] employees will find a way to be productive on mobile. Trying to lock down the data on mobile devices is a losing strategy.”

Larry Ponemon, the report’s author, disagrees. When it comes to the amount of company data employees can access on mobile devices, he says at a minimum there should be real limits. “We should be living more in the virtual world and in the cloud,” he says.

Even so, limiting mobile access is difficult. “You can’t change human behavior, people do what they want to do, and that’s another problem,” he says.

The good news is companies are taking some measures to protect their data, and budgets for mobile security are projected to increase over the next year from 16% to 37% of the IT security budget. More than half of companies surveyed currently implement containerization to manage data accessible on employees’ mobile devices, among other security measures including application blacklist/whitelist (47%), identity management (45%), and mobile device management (40%). However, 43% of respondents say they use none of these security measures.

 “When it comes to mobile, it requires a defense-in-depth strategy,” Richardson says. If you’re doing just one of these things, it’s probably not enough.”

Still, mobile security technology will only get you so far. Ponemon points to the need for employee awareness, “Try to have a policy and some training for the end users about the potential risk,” Ponemon says, adding that “having containerization solutions and MDM tools…the right tools to reduce the risk” posed by mobile devices is important.

 
Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2016 | 12:49:48 AM
Lack of self-reporting
The other problem is incident response.

Let's say I'm an employee who has violated company policy by accessing/storing/using company data on my mobile device.

Now let's say I discover my mobile device has become compromised.

Uh-oh.  Do I tell my company?  I don't want to get in trouble.

There are ways to encourage this kind of self-reporting, but -- unfortunately -- most organizations don't do it.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.