Endpoint

2/23/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New Study Shows Mobile Devices The Cause Of Some Data Breaches

A single mobile device infected with malware can cost a victim organization an average of $9,485, according to a Ponemon Institute report.

A new study shows the root cause of many of today’s data breaches is an employee’s mobile device. The findings are in stark contrast to the 2015 Verizon Data Breach Investigation Report that concluded that mobile devices are not yet a preferred vector in data breaches and have a less than 1% infection rate.

The data comes from a Ponemon Institute study commissioned by mobile security firm Lookout. Of the 588 US IT and IT security professionals surveyed who are employed in Global 2000 companies, 67% say they it is certain or likely that their organization had a data breach as a result of employees using their mobile devices to access their company’s sensitive and confidential information.

David Richardson, product manager at Lookout, says “the fact that two-thirds of people have already been breached by mobile [device]” was a surprising finding.

The report also gave a detailed breakdown of the cost of a mobile device data breach: Just one mobile device infected with malware can cost an organization an average of $9,485, according to the study.

Despite a rise in mobile malware and the obvious risk of mobile devices, little evidence to date has emerged suggesting that mobile devices are actually becoming an attack vector. “In short, we aren’t seeing 'mobile phone' as an asset in our breach data set,” says Marc Spitler, senior manager, Verizon Security Research. “We know that malware exists that targets mobile devices, but it may be that individuals are being affected, as we are not seeing it as part of an organizational breach.”

Meanwhile, more studies to the contrary are beginning to emerge.

A study released today from Mobile Iron also found that over 50% of enterprises have at least one non-compliant (jailbroken, rooted, disabled personal identification number (PIN) protection, lost device, out-of-date policies, etc.) device.

According to the Ponemon report, employees also have access to more sensitive company data on their devices than IT is aware of. “When you ask IT what they believe is accessible on mobile devices and when you ask employees, you get very different answers,” Lookout’s Richardson says, adding that there’s an obvious disconnect here.

The survey found significant discrepancies between the data that IT claims employees don’t have access to, and what employees say they can access via mobile devices. Take the question of sensitive company data. Employees say they have more access than IT says they have:  employees’ personal identifiable information (52% of employees vs. 18% of IT security), confidential or classified documents (33% of employees vs. 8% of IT security) and customer records (43% of employees vs. 19% of IT security).

So, is the solution for organizations to decrease the amount of sensitive company data employees have access to on their mobile devices? “I think this is a sort of head-buried-in-the-sand sort of response,” Richardson says to the idea of decreasing employees’ mobile access to data. "The reality is [a mobile device] is a computer … [and] employees will find a way to be productive on mobile. Trying to lock down the data on mobile devices is a losing strategy.”

Larry Ponemon, the report’s author, disagrees. When it comes to the amount of company data employees can access on mobile devices, he says at a minimum there should be real limits. “We should be living more in the virtual world and in the cloud,” he says.

Even so, limiting mobile access is difficult. “You can’t change human behavior, people do what they want to do, and that’s another problem,” he says.

The good news is companies are taking some measures to protect their data, and budgets for mobile security are projected to increase over the next year from 16% to 37% of the IT security budget. More than half of companies surveyed currently implement containerization to manage data accessible on employees’ mobile devices, among other security measures including application blacklist/whitelist (47%), identity management (45%), and mobile device management (40%). However, 43% of respondents say they use none of these security measures.

 “When it comes to mobile, it requires a defense-in-depth strategy,” Richardson says. If you’re doing just one of these things, it’s probably not enough.”

Still, mobile security technology will only get you so far. Ponemon points to the need for employee awareness, “Try to have a policy and some training for the end users about the potential risk,” Ponemon says, adding that “having containerization solutions and MDM tools…the right tools to reduce the risk” posed by mobile devices is important.

 
Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2016 | 12:49:48 AM
Lack of self-reporting
The other problem is incident response.

Let's say I'm an employee who has violated company policy by accessing/storing/using company data on my mobile device.

Now let's say I discover my mobile device has become compromised.

Uh-oh.  Do I tell my company?  I don't want to get in trouble.

There are ways to encourage this kind of self-reporting, but -- unfortunately -- most organizations don't do it.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14981
PUBLISHED: 2018-08-17
Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for SystemUI application intents. The LG ID is LVE-SMP-180005.
CVE-2018-14982
PUBLISHED: 2018-08-17
Certain LG devices based on Android 6.0 through 8.1 have incorrect access control in the GNSS application. The LG ID is LVE-SMP-180004.
CVE-2018-15482
PUBLISHED: 2018-08-17
Certain LG devices based on Android 6.0 through 8.1 have incorrect access control for MLT application intents. The LG ID is LVE-SMP-180006.
CVE-2018-15473
PUBLISHED: 2018-08-17
OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c.
CVE-2018-15471
PUBLISHED: 2018-08-17
An issue was discovered in xenvif_set_hash_mapping in drivers/net/xen-netback/hash.c in the Linux kernel through 4.18.1, as used in Xen through 4.11.x and other products. The Linux netback driver allows frontends to control mapping of requests to request queues. When processing a request to set or c...