The adoption of remote and hybrid work models meant increased usage of mobile devices during the pandemic. A Verizon study says companies have become more reliant on mobile devices, and that weak device and home network security upped the risks posed to corporate data and networks. In response, organizations increased their security spending, with a focus on mobile security. But are organizations being too lenient with remote workers, and with inadequate security policies and controls? Are they doing enough to secure devices and networks used by remote workers? Has technology kept pace?
Even before the pandemic, employees asked IT if they could use their personal devices for work. And hence the term “Bring Your Own Device”. Users also began installing their choice of applications, often without official approval – a concept called Shadow IT. This was accelerated as more employees moved out of the office and began working from home or remote locations during the pandemic months. The Verizon Mobile Security Index says that the shift to remote work and increased use of devices resulted in a major rise in cybercrimes.
The increasing reliance on mobile devices by companies is partly driven by the shift toward more hybrid working, said Anshuman Sharma, Head Investigative Response, APJ at Verizon. It also attracts new talent, he says.
The April Verizon study included insights from more than 600 people responsible for security strategy, policy and management, including security practitioners from the industry and C-level experts.
Verizon says that 85% of the people it polled said flexibility in work location and the devices they used would attract “the best new talent”.
At nearly half, 41% of companies allow employees to use their own phones/tablets to access corporate systems and data. A further 41% are considering doing so. Many employees now have access to much of the same data – customer lists, banking details, employees’ personal data, billing information, and core enterprise applications such as message, ERP and CRM – via their mobile devices as they would sitting at a desktop in the office.
Inadequate Policies & Controls
Inadequate controls or provisions in security policies for remote work could lead to data breaches and compromised devices, caused by both poor security on user devices and careless users. A compromise of a mobile device can now pose a significant risk to customer data, intellectual property and core systems.
Nearly half (48%) of the respondents said their organization did not have an acceptable use policy in place.
The report finds that 85% said home Wi-Fi and cellular networks/hotspots are allowed or there is no policy against them, and 68% allow or have no policy against the use of public Wi-Fi.
There is also the risk of employees throwing caution to the wind and downloading unverified apps on the same devices they use for work.
Hundreds of malicious apps in the guise of legitimate apps are showing up on the Google Play Store and Apple App store.
Flashlight, camera, and emoji apps are often used as a ruse application to compromise Android phones in the Google Play Store. For instance, over 3 million Android users were infected by malware catching a ride on legitimate sounding apps. And most users were not even aware of it.
Threat Vector
Tari Schreider, strategic advisor – cybersecurity practice, Aite-Novarica Group, said that mobile devices are an attack vector that is “least thought of by CISOs”. He said it is often thought of as a user issue. “The perception of business vs. consumer security and the potential to violate individual privacy rights contributes to the lack of seriousness of mobile device security,” said Schreider.
Not surprisingly, 45% of companies said they suffered a compromise involving a mobile device in the last 12 months. This has grown at a compounded annual growth of 14% between 2018 and 2022.
Of those respondents, 73% described the impact of the attack as major, and over two-fifths (42%) said that it had lasting repercussions.
Taking note of this, 22% of IT leaders said they wanted their employees to work from the office to establish a better corporate security posture.
Security Investment
With several organizations opting for hybrid working, the trends towards mobile security and securing remote end-point are shifting, said Sharma. Eighty-five percent of companies stated that they now have a budget dedicated to mobile security.
Further, over three-quarters (77%) of respondents said that their cybersecurity budget had increased in the previous 12 months – up from 65% in the previous edition of the report – and close to a third (29%) of those said it had increased significantly.
Agnidipta Sarkar, Digital Resilience Evangelist, Global Group CISO, Biocon said this global trend is not reflected in India for multiple reasons.
“This is not true, at least in India. It is because not all enterprise applications for mobile have moved to the cloud. And the technology has not yet matured to allow for mobile as a service, the equivalent of desktop as a service,” said Sarkar.
He also said the maximum investment is happening “on the protection side” and less “on the recovery side” because recovery technologies on mobile have not yet matured. He confirmed that the investment in mobile security has increased compared to last year.
Improving Mobile Security
Enterprises have been using mobile device management solutions since personal devices were first used in the workplace. But to counter sophisticated mobile threats experts believe one also has to consider mobile threat defense and mobile security solutions.
Schreider said there are two camps that are competing with each other – one promotes MDM and the other is for MTD or mobile security. The later believe MDM is not security, he said.
“MDM and mobile security must converge into a unified platform. I would rather see companies like Check Point and Zimperium spend more time promoting coopetition with MDR producers to fill the gaps,” said Schreider.
Sharma said companies should adopt a Zero Trust network access approach as it can reduce the reliance on end users making informed and security-conscious decisions. He also recommends the adoption of Secure Access Service Edge architecture.
“Consider using a CASB or secure web gateway to help secure all connections to cloud-based systems,” said Sharma.