Introduction:
About 45% of organizations sacrificed mobile security for expediency last year according to the Fourth Annual Verizon Mobile Security Index. Surprisingly, the number of organizations that experienced a compromise in security dropped to 23% last year. Yet there was a slight decrease from 27% in 2018.
The Verizon Mobile Security Index is based on interviews with 865 business professionals located in the US, UK, and Australia. These are responsible for the purchase and management of mobile and IoT devices for their organizations.
Cutting corners to cope:
With VPN and Wi-Fi connectivity inconsistent and unreliable for remote employees during the pandemic, mobile devices and cloud applications quickly picked up the pace. IT teams are still under pressure to provide greater access privileges to less secure mobile devices of an operation on the network that companies don’t own.
IT supports a wider variety of remote workers than before from commuters to road warriors in sales and service that increases time pressure on them. Bringing all these factors together it is easy to understand that mobile devices are the most vulnerable across the threat landscape.
Approximately three-quarters of IT teams (76%) have been asked to relax security policies so that the employees can meet deadlines and achieve business goals. Verizon’s index reflects the conflicts the IT teams face between protecting mobile assets and helping employees accomplish their tasks. IT teams recognize that mobile devices pose a significant risk to the organization: 40% named mobile devices as the biggest security risk and 50% said that risks from mobile devices are growing faster compared to other threats.
Prioritization of basic protections right:
As part of its mobile security index, Verizon monitors the number of companies that provide for basic protections: changing all default or vendor-supplied passwords, encryption of sensitive data when sent across open networks, restriction of access to data on a need to know basis, and testing security systems and processes regularly.
Even though these four items are considered security fundamentals the index found that only 9% of the organizations followed all four protection systems. But the average from previous years was only 12%. About 49% said the day tested the security systems and processes regularly but 39% regularly changed passwords or restricted data on a need-to-know basis. Even more worrisome is that 15% did not have any of these four protections in place.
Last year has been challenging for companies that rely on legacy trusted and untrusted domains to protect the rapidly growing number of mobile devices that need to be mapped into domains. And this situation won’t change any soon. The organizations have to treat identity as the new security perimeter and consider a data-centric security model for more effective security.
BYOD gets a second chance:
Organizations realized that they did not have enough laptops and tablet devices for their workforce as the pandemic hit. There was an acute laptop shortage with lead times of 16 weeks or more for many more models. This is because manufacturers had shut down the manufacture and faces disruption in the supply chains. Certain pressure points in the last year exposed clearing security weaknesses the organizations currently exhibit.
Too few have basic protections right, but the Verizon mobile security index shows other ways to improvise. Over the past year, 36% of organizations open access to corporate resources. These include systems for employees who use their own devices according to Verizon. The mobile security index tracks both BYOD (bring your own device) and BYOPC (bring your own personal computer). This shows that many organizations considered BYOD and BYOPC are feasible options this year.
More than 25% of organizations reported the allowance of BYOD while less than 25% of organizations supported BYOPC. There are two most important element of BYOD and BYOPC strategies for any virtual network. They are to provide secure access to company applications, databases, and internal systems. The risk of large-scale data breaches is huge if secure access is not correctly provided.
The Cybersecurity Framework from the National Institute of Standards and Technology (NIST)
The Cybersecurity Framework from the National Institute of Standards and Technology (NIST) makes a strong case for zero-trust frameworks. This frameworks are for data-centric security in organizations that rely heavily on BYOD and BYOPC. Implementation of a zero-trust framework requires mobile device management (MDM) and unified endpoint management (UDM) to secure the endpoints.
Having a unified endpoint management platform that supports BYOD and BYOPC devices. These helps and sure that every endpoint can self-diagnose and self remediate.
Leading providers of MDM and UEM solutions include Ivanti, Hexnode, ManageEngine, and Sophos. Identities are the new security parameter and zero trusts in a mobile-first, cloud-first IT environment is a clear path forward.
