Verizon’s 2020 Mobile Security Index Report – Verizon Says Business Security Compromises Increased 33 Percent for Mobile Since 2019
Verizon released its third annual Verizon Mobile Security Index (MSI) Report. The data in the 2020 MSI Report is a collaborative effort with data collected from over 800 respondents and eleven industry and law enforcement agencies, including the US Secret Service. Mobile security is not a new issue. Productivity apps and cloud computing give mobile devices increased capabilities, allowing employees to stay connected, giving users more remote capabilities, and becoming more important to everyday operations. However, convenience and productivity present cyber security risks and concerns. Employees need to adhere to user policies that keep mobile devices and apps safe.
Cyber security incidents are on the rise. Since Verizon’s first Mobile Security Index report in 2018, the percent of companies reporting a compromise has gone up forty-one percent. In 2018, twenty-seven percent of the companies surveyed reported that they had suffered a security compromise involving mobile internet connected devices during the previous year. By the time the 2019 report was issued, that number had grown to 33 percent. And 39 percent of companies reported 2020 annual Verizon MSI report that they had a security incident.
Even though enterprise level companies know the risks involved with mobile security and making poor decisions to ignore or override security policies, they still do so. This decision leaves them twice as likely to be hacked. But hackers attack companies of all sizes as well as individuals. No business is too small and no one should think they are exempt from security protocols because they feel they are somehow off hackers’ radar.
Many companies got mobile device security wrong since the previous MSI report. Almost half of companies felt it was acceptable to lower security standards because employees were inconvenienced by speed issues. It’s true that using multi-factor security authentication and a virtual private network can slow down the login process, but it’s for good reasons. Apparently, many employees felt inconvenienced by security measures. It’s true that employees are often hurried to check emails or message their office as soon as they land at an airport, but public WiFi like that found in airports, hotels, and coffee shops are easy targets for hackers waiting to collect usernames, logins, and passwords. With the average person reusing the same password across multiple account logins, if a hacker can get one email and password combination – from a social media account – they may easily work their way up to something more valuable like a bank account, work email, or corporate Dropbox account.
Reasons Why Companies Take Risks with Security
- Speed outweighs security (62 percent)
- Convenience (52 percent)
- Profitability (46 percent)
- To meet deadlines or productivity targets (43 percent)
- Lack of Budget (27 percent)
- Lack of Expertise (26 percent)
Social engineering Attacks
According to the US Secret Service, the average monetary loss from a business email compromise (BEC) attack is nearly $130,000. Social engineering is one of the most common tactics used by hackers to begin a cyberattack. With social engineering the hacker gathers information about the target from publicly available information like that found on social media, LinkedIn profiles, and corporate websites. Phishing emails with some personalized content are sent with the intent of gleaning even more data. Hackers use all the information to collect even more details about the target. For example, a hacker might get the name of a target’s supervisor from their LinkedIn profile and their phone number from a corporate website. Phishing emails and business email compromises are two forms of social engineering that are commonly deployed by attackers. Globally, fifteen percent of enterprise users responding the survey reported a mobile phishing link in the third quarter of 2019.For the United states, that number was slightly higher with eighteen percent reporting a phishing attempt.
Other Consequences of Compromises
- Loss of data
- Compromose of other devices
- Reputation damage
- Regulatory penalties
- Loss of business
Twenty-one percent of enterprise level companies that reported being compromised said that an app installed on the mobile device played a part in the incident. And twenty percent said the use of pubic WiFi was a factor in the compromise, but just over half (52 percent) did not prohibit employees from using insecure WiFi hotspot on their mobile devices.
Eighty-three percent of respondents are concerned about security in the event a mobile device is lost or stolen.
How to Protect Mobile Devices
Lowering security standards often comes with consequences. It is cybersecurity best practices to establish a mobile device security policy and crisis response before your company needs it.
- Establish a written acceptable use policy (AUP) for all company owned devices
- If bring-your-own device is allowed, a company AUP should specify the type of devices, update policies, what networks can be used, and what apps users can install
- Train employees to recognize risks – like connecting to public WiFi – that compromise their device’s security and that of the entire company
- Train employees to spot phishing emails, malicious attachments, and fraudulent websites
- Enforce the use of strong passwords
- Use biometric logins or two-factor authentication for all devices and accounts
- Restrict user permissions to necessary access levels and nothing more
- Block apps from being downloaded outside official app stores
- Install security updates as soon as they become available
- Change all default usernames and passwords set by the manufacturer or supplier
- Don’t reuse the same password on multiple devices
- Implement procedures to lock down and isolate vulnerable, compromised, lost, or stolen devices
- Use a mobile device management solution to simplify patch management
- Use malware apps to protect devices against threats
- Require the use of a virtual private network or (VPN) to protect the device and the corporate network it is connecting to
- Encrypt all data sent over unsecured networks with a quality virtual private network or (VPN
- Block all insecure WiFi networks from accessing corporate resources
- Restrict the use of unvetted cloud apps, especially file-sharing ones
- Limit access to cloud services to devices using trusted networks or a managed VPN service
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers