Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/23/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New Study Shows Mobile Devices The Cause Of Some Data Breaches

A single mobile device infected with malware can cost a victim organization an average of $9,485, according to a Ponemon Institute report.

A new study shows the root cause of many of today’s data breaches is an employee’s mobile device. The findings are in stark contrast to the 2015 Verizon Data Breach Investigation Report that concluded that mobile devices are not yet a preferred vector in data breaches and have a less than 1% infection rate.

The data comes from a Ponemon Institute study commissioned by mobile security firm Lookout. Of the 588 US IT and IT security professionals surveyed who are employed in Global 2000 companies, 67% say they it is certain or likely that their organization had a data breach as a result of employees using their mobile devices to access their company’s sensitive and confidential information.

David Richardson, product manager at Lookout, says “the fact that two-thirds of people have already been breached by mobile [device]” was a surprising finding.

The report also gave a detailed breakdown of the cost of a mobile device data breach: Just one mobile device infected with malware can cost an organization an average of $9,485, according to the study.

Despite a rise in mobile malware and the obvious risk of mobile devices, little evidence to date has emerged suggesting that mobile devices are actually becoming an attack vector. “In short, we aren’t seeing 'mobile phone' as an asset in our breach data set,” says Marc Spitler, senior manager, Verizon Security Research. “We know that malware exists that targets mobile devices, but it may be that individuals are being affected, as we are not seeing it as part of an organizational breach.”

Meanwhile, more studies to the contrary are beginning to emerge.

A study released today from Mobile Iron also found that over 50% of enterprises have at least one non-compliant (jailbroken, rooted, disabled personal identification number (PIN) protection, lost device, out-of-date policies, etc.) device.

According to the Ponemon report, employees also have access to more sensitive company data on their devices than IT is aware of. “When you ask IT what they believe is accessible on mobile devices and when you ask employees, you get very different answers,” Lookout’s Richardson says, adding that there’s an obvious disconnect here.

The survey found significant discrepancies between the data that IT claims employees don’t have access to, and what employees say they can access via mobile devices. Take the question of sensitive company data. Employees say they have more access than IT says they have:  employees’ personal identifiable information (52% of employees vs. 18% of IT security), confidential or classified documents (33% of employees vs. 8% of IT security) and customer records (43% of employees vs. 19% of IT security).

So, is the solution for organizations to decrease the amount of sensitive company data employees have access to on their mobile devices? “I think this is a sort of head-buried-in-the-sand sort of response,” Richardson says to the idea of decreasing employees’ mobile access to data. "The reality is [a mobile device] is a computer … [and] employees will find a way to be productive on mobile. Trying to lock down the data on mobile devices is a losing strategy.”

Larry Ponemon, the report’s author, disagrees. When it comes to the amount of company data employees can access on mobile devices, he says at a minimum there should be real limits. “We should be living more in the virtual world and in the cloud,” he says.

Even so, limiting mobile access is difficult. “You can’t change human behavior, people do what they want to do, and that’s another problem,” he says.

The good news is companies are taking some measures to protect their data, and budgets for mobile security are projected to increase over the next year from 16% to 37% of the IT security budget. More than half of companies surveyed currently implement containerization to manage data accessible on employees’ mobile devices, among other security measures including application blacklist/whitelist (47%), identity management (45%), and mobile device management (40%). However, 43% of respondents say they use none of these security measures.

 “When it comes to mobile, it requires a defense-in-depth strategy,” Richardson says. If you’re doing just one of these things, it’s probably not enough.”

Still, mobile security technology will only get you so far. Ponemon points to the need for employee awareness, “Try to have a policy and some training for the end users about the potential risk,” Ponemon says, adding that “having containerization solutions and MDM tools…the right tools to reduce the risk” posed by mobile devices is important.

 
Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2016 | 12:49:48 AM
Lack of self-reporting
The other problem is incident response.

Let's say I'm an employee who has violated company policy by accessing/storing/using company data on my mobile device.

Now let's say I discover my mobile device has become compromised.

Uh-oh.  Do I tell my company?  I don't want to get in trouble.

There are ways to encourage this kind of self-reporting, but -- unfortunately -- most organizations don't do it.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.