Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile Security

2/21/2018
08:05 AM
Carol Wilson
Carol Wilson
News Analysis-Security Now
50%
50%

Verizon Mobility Security Index Shows Enterprises Not Doing Enough

The Verizon Mobility Security survey shows enterprises are aware of the growing risk that smartphones and tablets present but aren't doing enough to address it.

Enterprises are aware that growing use of mobile devices in business is increasing security risks, but many of them admit they aren't yet doing all they can to mitigate those risks. This is in part because they are putting other business goals first, according to the first Mobile Security Index conducted by Verizon Wireless Business Group.

Verizon Wireless surveyed 600 mobility professionals, including many from multi-national corporations, and found that while 93% admitted the growing use of smartphones and tablets is creating greater security risks, almost one third admitted sacrificing mobile security to improve business performance.

That behavior could include things such as using public WiFi networks that aren't secured in order to access business apps -- 14% of those surveyed admitted doing this, even when it is against policy -- notes Justin Blair, executive director of mobile business products for Verizon's Wireless Business Group. The purpose of the Mobile Security Index is to raise awareness of the risks, so they can be properly factored in, he adds in an interview.

"We think many businesses are not really understanding how big the risks are when it comes to mobile security," Blair said. "They need to understand that the minute you go from paper to digital, leveraging a tablet, that tablet is a way into the network. So you need to have device management capability and some level of security on that tablet."

The index showed that companies who did sacrifice security for expediency were almost two-and-a-half times more likely to suffer downtime or data loss.

The survey also show that, for 79% of respondents, the greatest concern around mobile security is disruption of business operations, he adds, and not data loss.

"If you have moved away from paper to go digital, if you are relying upon a smart phone or tablet to do your job now, then if you can't access the stuff you are supposed to access, you can't get your job done," Blair said. "That's what many businesses are most concerned about."

One unsurprising statistic from the Mobile Security Index: 86% of respondents agree employee behavior is the greatest risk. This is true in general where corporate security is concerned, but it is especially true in the mobile space because devices such as smartphones and tablets may travel with the employee, who may download an application or access a site that "unwittingly invites a hacker into the network," Blair said. "In many cases, these devices store critical information or employees need to access critical information like financial data in some of the verticals we serve today. But employees are also used to using these devices as consumers and they may not always be aware of what the risks are."

Verizon intends to use the Mobile Security Index to increase the awareness of security tools that can protect business data and operations today including device enrollment programs it has with Apple, Samsung and Google, mobile device management and mobile threat detection software.

Device enrollment programs allow an enterprise to specifically document the mobile devices it purchases and ensure that they have mobile device management software. The device isn't usable until it passes authentication tests, Blair says.

"Right there you are securing a brand new digital asset before you are allowed to touch the network or put business critical information on it," he comments.

Mobile device management also allows the corporation to control what features and functionality an employee can access on the corporate device, through policies, and prohibit risky things such as accessing unsecured WiFi.

"You can also set up custom application stores so you can manage what applications employees are allowed to download on that device," Blair says. "In many cases, if it is a business specific use, such as a tablet in retail store, you want to completely lock down that device, so only business applications are allowed to be use and an employee couldn't be using it to surf YouTube or Netflix after hours."

In what has become a sad cliché of many security surveys, this one shows that many businesses who claim to care about security aren't even doing the basics to protect themselves, such as changing default passwords, implementing two-factor authentication or imposing policies that limit riskier behaviors.

"The door is wide open in a few of these areas," Blair says.

— Carol Wilson, Editor-at-Large, Light Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9376
PUBLISHED: 2020-07-09
** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Information Disclosure via SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1 to getcfg.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-9377
PUBLISHED: 2020-07-09
** UNSUPPORTED WHEN ASSIGNED ** D-Link DIR-610 devices allow Remote Command Execution via the cmd parameter to command.php. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.