In a surprising twist, nearly three-fourths of organizations in a new study say they experienced a data breach via mobile -- either malware-rigged mobile apps, vulnerable apps, or unsecured WiFi connections.
The new data comes from an IDG study commissioned by mobile security firm Lookout, which says the numbers came as a shock to them as well. "The most surprising results to us were that 74% said they had already experienced a data breach as a result of mobile" issue, says Aaron Cockerill, vice president of products at Lookout. "A lot of breaches globally are frequently attributed to infrastructure in the corporation, LAN … There's never really been a huge data breach attributed to mobile devices."
Of the 100 executives from companies with an average of 23,000 employees and mainly from technology, financial services, and manufacturing industries, 82% say most of their corporate data is accessible via users' mobile devices.
Some 38% say their companies suffered data breaches via vulnerable mobile apps; 36% via malware-rigged mobile apps; 30% via unsecured WiFi; 30% via rooted and jailbroken devices; 28% via apps that send or access sensitive data; and 15% from apps downloaded from non-official app stores.
To date there has been little evidence of mobile serving as a primary attack vector for breaches, with the exception of some nation-state attacks. While mobile vulnerabilities and malware are abundant and emerging regularly, most attackers still stick with the tried-and-true desktop attack.
Verizon, meanwhile, says it's still not seeing an uptick in mobile as an attack vector in data breaches. "We continue not to see mobile assets within the event chains of the incidents that are in our current data set, which represents a slice of actual 2015 incidents," says Marc Spitler, managing principal and co-author of the Data Breach Investigations Report, Verizon Enterprise Solutions. "Keep in mind that Verizon’s data breach investigations series focuses on how often these issues occur in the real world. Our real-world data does not support the 74 percent affirmative responses in this survey."
[BYOD may be a big fat security and management headache for the business world and mobile malware is on the rise, but the reality is that so far, hackers aren't employing mobile malware for cybercrime or cyber spying purposes. Read Verizon DBIR: Mobile Devices Not A Factor In Real World Attacks.]
That doesn't mean you should ignore mobile security or assume it won't become a problem, he says. Spitler says while mobile is not a major culprit for cyberattacks thus far, it's best to prepare for that to change. Organizations "should build processes and policies and controls now, before the threat rate increases," he says.
Lookout's Cockerill says the new data may be jolting, but it's "not a sign the sky is falling." However, he maintains that Verizon and other reports may not provide a full picture of the highly targeted attacks Lookout sees. "We believe what we're seeing and what we know from last year, is a dramatic increase of sophisticated local attacks … targeted at gathering important information," he says.
Meanwhile, Windows PCs make up about 80% of all mobile network infections. The overall infection rate for mobile devices jumped from 0.50% to 0.75% in late June mainly due to Windows PCs that are tethered to mobile WiFi devices, hotspots, and smartphones getting hit with a spike in malicious adware, according to Alcatel-Lucent's Motive Security Labs.
Aside from Verizon's discounting mobile as an attack vector in data breaches in its Data Breach Investigations Report this year, security firm Damballa Research recently summed up the reality of mobile threats this way: users are 1.3 times more likely to get struck by lightning than to be infected with malware, according to Damballa's data.
Lookout's Cockerill dismisses the argument that the bad guys target desktops over mobile devices because they're easier to infect. "I'm not convinced that it's necessarily harder to [attack via] mobile," he says. Many users are primarily working off their mobile devices today, anyway, he says.
"The reason you've not seen widespread" mobile attacks, he says, is attackers are following the valuable corporate data. "Data is only just starting to … move onto those mobile devices."