Two-thirds of organizations think they’ve suffered mobile breaches

ThinkstockPhotos-497575676

Mobile devices are often seen as a potential threat − one that could theoretically put data at risk someday. But a recent survey finds two-thirds of organizations believe they’ve already been hit by mobile malware and breaches. 

The joint research by Ponemon and Lookout, a mobile security company, asked IT pros whether they thought they’d suffered a breach due to employees accessing data from mobile devices. The results:

  • 17% said “yes, with certainty”
  • 24% said “yes, most likely”
  • 26% said “yes, likely,” and
  • 20% said “unlikely.”

Only 13% knew for sure that they hadn’t suffered a breach involving mobile devices. (Although given the complicated methods of attacks and multi-vector attacks, answering any way with certainty may be overly optimistic of your incident-response program.)

That could be why more than half (55%) of respondents worried employees have too much work-related information on their mobile devices.

Not just BYOD concern

The solution to mobile data security used to be simple: Either companies would elect not to have BYOD or provide users with secure mobile devices that were company-owned.

Of course we now know there’s no such thing as a completely secure mobile device and that limiting users to accessing information only from the office is unrealistic in most cases.

In fact, as Lookout observes, there are close to 58,344 mobile devices in the average global enterprise, and that’s expected to grow 50% by 2018.

So how are companies addressing these risks?

Variety of methods

Mobile protection comes in a variety of forms, both technical and otherwise. IT pros surveyed said that they took the following measures to protect data accessible on employees’ mobile devices included:

  • containerization (51%)
  • application whitelisting or blacklisting (47%)
  • identity management (45%)
  • manual policies and standard operating procedures (40%)
  • mobile device management programs (40%)
  • remote locking and wiping capabilities (33%), and
  • password enforcement (29%).

Some alarming statistics, however: According to the survey, 43% of those surveyed used none of the above options (and “other” was an option).

Also, 60% of companies indicated they don’t have policies or standard operating procedures specifically for mobile data. While it may seem like data is data, regardless of where it’s accessed, that isn’t quite the case.

Mobile devices can go missing easier than most (hence, the “mobile” part of things). And it’s a lot harder to make sure your users are on a secure, up-to-date OS with mobile devices. Therefore, specific security policies for mobile devices are at very least a good idea, and probably much-needed.

Other steps to take

Some other important steps you’ll want to take:

  • Evaluate and re-evaluate mobile-specific policies and defenses to make sure you’re still protected against common threats.
  • Try to determine which versions of which mobile operating systems are being used in your organization and work on plans to make sure users stick only to the most secure ones.
  • Train users regularly on mobile threats. It’s not enough to put safeguards in to keep them from making mistakes, you’ll want to be sure you’ve actually informed them of what these mistakes could include.