The latest Mobile Security Index from Verizon paints a contrary picture of the mobile security landscape, at least when viewed from the enterprise perspective. The term 'disconnect' is often overused in the cyber-security sector, but for once it's absolutely spot on here. Enterprises confirm that the risks are increasing, yet admit they aren't keeping pace defensively; more worryingly they are also sacrificing mobile security in order to 'get the job done.'
The report makes for difficult, but all too familiar, reading if you are a security professional. Just look at some of the headline statistics:
83 percent agreed that their organisation was at risk from mobile threats, with 29 percent rating that risk as significant.
67 percent are 'less confident' regarding their mobile asset security than concerning other devices.
48 percent (up from 32 percent last year) admit to having 'sacrificed security' in order to 'get the job done' and of these, 46 percent (24 percent last year) had gone on to suffer a compromise as a result - and 62 percent of those compromises were described as major.
43 percent said they felt that remediating a mobile-related compromise was difficult and expensive.
"Companies are increasingly reliant on mobility as the backbone of their business operations so there needs to be a priority on securing those devices" according to TJ Fox, President of Business Markets with Verizon who added "the lack of robust security measures could potentially expose corporate assets, and possibly customer data, to malicious actors."
That would appear to be pretty much self-evident on both fronts, so why is there such an enterprise disconnect between the threat these devices pose and the mitigation strategy that is implemented? Tom Kranz, Director of the Cyber Lab at 6point6, blames the rise in consumer devices which has "brought consumer expectations and behaviours" into the enterprise. "Open systems, constantly updated, that are treated largely as disposable, with implicit trust in vendors and applications" Kranz explaining "the advantages of BYOD for the enterprise have won out over the security concerns." Meanwhile, Jason Revill, UK&I Security Consulting Lead at Avanade UK, points out that the disconnect comes about thanks to roadblocks in the approach to security. "Businesses want to manage these devices but often they aren't even owned by the business" Revill says, continuing "so why would a user submit their own device to be managed? What is the incentive?" Ed Macnair, CEO at CensorNet, sums it up succinctly enough when he told SC Media UK that there remains a disconnect between the threat that mobile devices pose to enterprises and the actions taken to mitigate them "largely because many find the problem too vast to tackle."
So, what needs to be done to turn this around - not in terms of product x or y but in persuading the enterprise to pull its finger out and actually start mitigating the obvious mobile risk they face? "Establishing a secure enterprise involves creating visibility across the whole IT environment" says Marc Sollars, CTO of Teneo, who continues "and that requires as much attention to mobile devices as any other system." Indeed, and that attention should start with "first understanding how employees want to work" Ojas Rege, Chief Strategy Officer at MobileIron insists, adding "and to use this as the foundation upon which to build the rest of their mobile security strategy." And that strategy should focus on securing the network rather than individual devices according to Wallace Sann, VP of Global Systems Engineering at Forescout, who told SC Media UK that "a comprehensive visibility model that monitors device activity on a network will help prevent any device becoming the weak link in a company’s security posture."
Let's leave the last sage words with Jake Moore, cyber security specialist at ESET, though: "better awareness is required, plus use cases for the board, to realise that cyber-security is an investment rather than an expense..."