Study Finds Organizations — And Users — Do Not Prioritize Mobile Security

A Look At How One University Copes

Esther Shein

When it comes prioritizing mobile in the enterprise, the bad news is organizations are not. Rather, speed and profits are of greater concern than mobile security for almost one-third of respondents, according to Verizon Wireless’ 2018 annual Mobile Security Index.  

The study of 600 mobility professionals also found that 85 percent of companies say businesses face at least a moderate risk from mobile security threats, while 26 percent say it is a significant risk. Meanwhile, 74 percent said their mobile risk had increased in the past year, and 73 percent said they expected it to continue increasing this year. If you’re waiting for the good news...there isn’t much.

“Think about that. One in three organizations that we work with, buy from, turn to for healthcare, and that govern the communities in which we live, have put speed and profit before the safety of their data — and our data,’’ said Thomas Fox, senior vice president of Verizon Wireless Business Group, in a statement. “And that’s just the ones that are aware and willing to admit it. The number could be significantly higher.”

Increased Spending On Mobile Security

Perhaps the somewhat good news, however, is that IDC projects worldwide spending on digital security-related products and services will increase from $83.5 billion in 2017 to $119.9 billion by 2021.

"Three overarching trends are driving security spending: a dynamic threat landscape, increasing regulatory pressures, and architectural changes spurred by digital transformation initiatives," said Sean Pike, program vice president for IDC's Security Products and Legal, Risk, and Compliance programs. IDC expects spending to continue growing, he added, but said organizations continue to actively search for product and service efficiencies that maximize their expenditures “in order to fully address such complex challenges."

Following Security Recommendations

Another eye-opening finding from the Verizon study was that when respondents were asked about four fundamental security precautions (change all default passwords, encrypt the transmission of sensitive data across open public networks, restrict which apps employees download from the internet to their mobile devices, regularly test security), the survey found that only one in seven companies followed all four recommendations.

These issues are something Bob Turner takes seriously. Turner, chief information security officer at University of Wisconsin-Madison, is tasked with managing some 100,000 endpoint devices — which he defines as anything that is not a switch or router. This includes laptops and smartphones, IoT sensors, surveillance cameras, tower servers, cloud/virtual components, classroom and network connected printers, access control systems, imaging devices, and mobile display devices around campus.

Recently, IT started an endpoint management initiative to “rationalize the endpoints we have and tools we have in place,” says Turner, who is also director of the Office of Cybersecurity, Office of the CIO and Vice Provost for Information Technology, and an Enterprise Mobility Exchange contributor.

IT is currently piloting a mobile device management platform to figure out how to best identify all endpoints, whether direct connections, corporate owned mobile devices or BYOD. This is a multi-year effort, he adds.

“My Cybersecurity Operations Center team runs a daily play that examines traffic and indications of compromise that our tools show,’’ says Turner. “That play takes several staff hours per day, depending on the volume.”

Students, faculty and researchers often make managing mobile endpoints more of a challenge. But Turner says his team has worked to make people savvier, so they don’t fall prey to phishing schemes that lead to ransomware demands.

“We have a community that understands the value of data and they are highly sensitized to social engineering through phishing,’’ he says. “Our recent testing in this area shows that less than 5 percent of those receiving the test e-mails actually respond or click on links within the phish.”

Generally, users understand the need for security — with some coaching required to ensure compliance, he adds.

Best Practices For Mobile Security

Turner suggests some improvements, such as users managing their passwords; using sound data storage practices; appreciating the value of the security controls offered; and communicating when they are not sure of the right application of policy and tools.

He is not surprised by the Verizon study findings, and says security is one of many considerations higher education leaders need to address as part of the business of teaching, learning, research, and outreach.

“It does not surprise me that trade-offs are made to ensure the classrooms continue to learn and research continues to make new discoveries,’’ he says. “While not in a ‘continuous state of crisis,’ cybersecurity becomes a concern when the availability of data or information systems interrupts the business.”

Turner has deployed a set of best practices for protecting mobile users at the university. The biggest one is to funnel mobile users through a common set of network-based security controls (firewall, intrusion detection and intrusion prevention) and application level security processes, he says.

“We are also improving our security awareness and training programs to promote better cyber hygiene — that awareness is common between mobile users and directly connected network users.”