Remote work/remote access means a larger attack surface — and the inability to “disconnect” from work may be a factor
With the rise of remote and hybrid work, companies are more reliant than ever on mobile devices, and those devices are, increasingly, the main route that employees use to access sensitive company information. This is leading to more security breaches being associated with mobile devices.
“Companies are … struggling,” the report says, adding that nearly four-fifths of respondents reported that “recent changes to working practices had adversely affected their organization’s cybersecurity.”
The report is based on an April 2022 survey of more than 600 people responsible for enterprise security strategy, policy and management, plus interviews with C-level experts and contributions of information, incident and usage data from nine companies involved in mobile device security.
“For many, mobile devices are no longer a secondary device,” according to the report. “Many employees now have access to much of the same data—customer lists, banking details, employees’ personal data, billing information, etc.—and systems— messaging, enterprise resource planning (ERP), etc.—via their mobile devices as they would sitting at a desktop in the office. This means that the compromise of a mobile device can now pose a significant risk to customer data, intellectual property and core systems.”
With mobile increasingly viewed as “critical to business operations,” it’s getting more attention from cyber attackers. “From coordinated state-sponsored campaigns to unfocused, opportunistic criminal exploits, the volume of attacks is going up,” according to the report, adding that “Mobile devices are an attractive target” even if survey respondents still frequently believe that mobile devices are of less interest than other IT assets.
Verizon’s survey found that 45% of respondents said that their organization “had been subject to a security incident involving a mobile device that led to data loss, downtime or other negative outcome.” 73% of those described the impact as “major” and 42% said that it had “lasting repercussions.” In the previous report, fewer than half of mobile device security breaches were described as major and only 28% were reported as having lasting repercussions.
More than half of CISOs across all regions reported that targeted attacks on their organizations are up since mass hybrid working has been adopted. Big and small enterprises have different perceptions: only 48% of large enterprises (with 5,000+ employees) say that targeted attacks are up, but nearly 60% of companies with 500 or fewer employees say so.
Interestingly, a section of the report delves into the difficulty that some workers have in “disconnecting” from answering work emails and messages at all hours of the day, and new regulations in some countries that require that companies have an enforceable “disconnected” time. While that might seem like a quality of life issue, the report says that there is a direct connection with cybersecurity. Mobile devices already “can make it harder to spot an attack like a phishing email” because of limits on additional URL information that are easier to access on a laptop or desktop browser. “Tired or distracted employees are also more likely to tap on something that they shouldn’t,” the report adds.