COVID-19 brought the world online, with businesses embracing the work-from-anywhere model to its fullest extent. However, Verizon Business Mobile Security Index (MSI) 2021 has raised the issue that many businesses have left themselves vulnerable and open to cybercriminals in their rush to ensure their workforce could work remotely – with 40% of businesses identifying mobile devices as their company’s biggest IT security threat.
According to GSMA’s The Mobile Economy Asia Pacific 2020 report, Asia Pacific will be home to 2.7 billion mobile internet users by 2025 – reflecting the huge impact mobile devices could have on a businesses’ security given the considerable number of devices.
Moreover, Kamal Subramaniam, Verizon Threat Research Advisory Centre – Asia-Pacific shared that the growing number of remote workers as more organisations embrace a hybrid work arrangement, and the increasing number of employers using their personal devices to access corporate data, are also factors that contribute to the threat mobile devices have on IT security.
“They might actually be doing so through unsecure networks, apps and mobile devices and this has serious implications on IT security for organisations in the region. True enough, more than one in five global respondents surveyed in our Mobile Security Index (MSI) 2021 had experienced a compromise involving a mobile device in the preceding 12 months,” said Subramaniam.
Regardless, despite companies identifying mobile devices as their biggest IT security threat, it is not a priority for businesses.
Subramaniam attributes this to how organisations are confident in their defences by spotting compromises and misuse quickly – despite not having the most basic precautions in place such as changing all default or vendor-supplied passwords, encrypting sensitive data, restricting data access, and regular testing of security systems and processes.
He also pointed out that the pandemic left a significant impact on organisations as they had to quickly adapt to a sudden remote working environment, and illustrated the impact with results from their MSI 2021 study:
- 24% sacrificed the security of mobile devices to facilitate their response to restrictions put in place due to the pandemic
- 58% said that they struggle to accommodate varying mobile demands from across the organisation
- 56% said that cybersecurity challenges are suppressing their Digital transformation
“That said, I think it’s encouraging to see that organisations are increasingly realising the importance of mobile security where 50% indicated that mobile device risks are growing faster than others. In fact, 81% of respondents agreed that organisations need to take the security of mobile devices more seriously,” said Subramaniam.
“With remote working here to stay, there is no doubt a greater need for organisations to treat identity as the new security perimeter and consider a data-centric security model to scale more effectively.
Safeguards against mobile security threats
To protect against cyber threats associated with mobile security, Subramaniam recommends the following policies for organisations:
- Deploying zero trust network access (ZNTA) – the thinking behind ZTNA could be explained as “trust no one.” Resources are hidden and only accessible through a trust broker. Three simple steps include verifying users, validating devices and limiting access.
- Acceptable use policies – outlines when, where and why employees can connect their mobile device to your company's network. It also specifies responsibilities for BYOD users, including ensuring that personal and business devices are not used interchangeably and that business exchanges are to be performed strictly on the company device.
- Establishing encryption policies – ensures that confidential data cannot be stored on unencrypted devices (or on any personal mobile device at all).
- Improving password security – consider establishing a policy where passwords expire every 60 to 90 days and must be changed, along with setting character length and combination requirements. IT team should also consider two-factor authentication to increase security.
- Setting guidelines for technical updates – cyber criminals can enter systems because devices haven't been updated with the latest security patches. To reduce security vulnerabilities, organisations can adopt a threat protection solution and encourage employees to regularly update the software on their personal devices.
- Adopting a security first approach to user training – applying emphasis to the consequences of mobile device misuse, loss or theft will give employees a greater incentive to follow corporate policy.
Future of the mobile security landscape
Subramaniam maintains that mobile risk is high and will continue to grow, with 50% of respondents finding that mobile device risk is growing faster than any other category, and 70% said that it had measurably increased for their company during the pandemic.
“Last year, due to the sudden pivot to a remote workforce, 45% of respondents revealed that they have knowingly sacrificed the security of mobile devices to “get the job done” (e.g. meet a deadline or productivity targets),” said Subramaniam.
“In the next two years, with most organisations already adapted to the new norm and looking to accelerate business recovery and growth, we expect that organisations will sharpen their focus on futureproofing their operations by implementing robust mobile device security policies.
“Additionally, with the emergence of new security models that recognise the mobile-first, cloud-first reality of modern business, we believe that mobile device security will improve. While it is still early days, we expect these models to rapidly gain ground in Asia Pacific.”
