Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/23/2016
05:45 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

New Study Shows Mobile Devices The Cause Of Some Data Breaches

A single mobile device infected with malware can cost a victim organization an average of $9,485, according to a Ponemon Institute report.

A new study shows the root cause of many of today’s data breaches is an employee’s mobile device. The findings are in stark contrast to the 2015 Verizon Data Breach Investigation Report that concluded that mobile devices are not yet a preferred vector in data breaches and have a less than 1% infection rate.

The data comes from a Ponemon Institute study commissioned by mobile security firm Lookout. Of the 588 US IT and IT security professionals surveyed who are employed in Global 2000 companies, 67% say they it is certain or likely that their organization had a data breach as a result of employees using their mobile devices to access their company’s sensitive and confidential information.

David Richardson, product manager at Lookout, says “the fact that two-thirds of people have already been breached by mobile [device]” was a surprising finding.

The report also gave a detailed breakdown of the cost of a mobile device data breach: Just one mobile device infected with malware can cost an organization an average of $9,485, according to the study.

Despite a rise in mobile malware and the obvious risk of mobile devices, little evidence to date has emerged suggesting that mobile devices are actually becoming an attack vector. “In short, we aren’t seeing 'mobile phone' as an asset in our breach data set,” says Marc Spitler, senior manager, Verizon Security Research. “We know that malware exists that targets mobile devices, but it may be that individuals are being affected, as we are not seeing it as part of an organizational breach.”

Meanwhile, more studies to the contrary are beginning to emerge.

A study released today from Mobile Iron also found that over 50% of enterprises have at least one non-compliant (jailbroken, rooted, disabled personal identification number (PIN) protection, lost device, out-of-date policies, etc.) device.

According to the Ponemon report, employees also have access to more sensitive company data on their devices than IT is aware of. “When you ask IT what they believe is accessible on mobile devices and when you ask employees, you get very different answers,” Lookout’s Richardson says, adding that there’s an obvious disconnect here.

The survey found significant discrepancies between the data that IT claims employees don’t have access to, and what employees say they can access via mobile devices. Take the question of sensitive company data. Employees say they have more access than IT says they have:  employees’ personal identifiable information (52% of employees vs. 18% of IT security), confidential or classified documents (33% of employees vs. 8% of IT security) and customer records (43% of employees vs. 19% of IT security).

So, is the solution for organizations to decrease the amount of sensitive company data employees have access to on their mobile devices? “I think this is a sort of head-buried-in-the-sand sort of response,” Richardson says to the idea of decreasing employees’ mobile access to data. "The reality is [a mobile device] is a computer … [and] employees will find a way to be productive on mobile. Trying to lock down the data on mobile devices is a losing strategy.”

Larry Ponemon, the report’s author, disagrees. When it comes to the amount of company data employees can access on mobile devices, he says at a minimum there should be real limits. “We should be living more in the virtual world and in the cloud,” he says.

Even so, limiting mobile access is difficult. “You can’t change human behavior, people do what they want to do, and that’s another problem,” he says.

The good news is companies are taking some measures to protect their data, and budgets for mobile security are projected to increase over the next year from 16% to 37% of the IT security budget. More than half of companies surveyed currently implement containerization to manage data accessible on employees’ mobile devices, among other security measures including application blacklist/whitelist (47%), identity management (45%), and mobile device management (40%). However, 43% of respondents say they use none of these security measures.

 “When it comes to mobile, it requires a defense-in-depth strategy,” Richardson says. If you’re doing just one of these things, it’s probably not enough.”

Still, mobile security technology will only get you so far. Ponemon points to the need for employee awareness, “Try to have a policy and some training for the end users about the potential risk,” Ponemon says, adding that “having containerization solutions and MDM tools…the right tools to reduce the risk” posed by mobile devices is important.

 
Emily Johnson is the digital content editor for InformationWeek. Prior to this role, Emily worked within UBM America's technology group as an associate editor on their content marketing team. Emily started her career at UBM in 2011 and spent four and a half years in content ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/25/2016 | 12:49:48 AM
Lack of self-reporting
The other problem is incident response.

Let's say I'm an employee who has violated company policy by accessing/storing/using company data on my mobile device.

Now let's say I discover my mobile device has become compromised.

Uh-oh.  Do I tell my company?  I don't want to get in trouble.

There are ways to encourage this kind of self-reporting, but -- unfortunately -- most organizations don't do it.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.