Mobile Security Breaches Hit 68 Percent of Firms in the Last Year

The BT survey found that 60 percent of respondents believe the CEO doesn’t take the threat of mobile security very seriously.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

mobile security and BYOD

Mobile security breaches have affected more than two-thirds (68 percent) of global organizations in the last 12 months, according to a study from BT.

At the same time, more than half of U.S. organizations (54 percent) are more concerned about suffering a mobile security breach in the next 12 months than in the previous year.

The survey also revealed the uptake of bring your own device (BYOD) and corporately owned, personally enabled (COPE) devices is very high, with 98 percent of American organizations allowing employees to use these devices for work purposes. However, one-third (33 percent) of U.S. organizations do not have a BYOD policy today.

In this environment, device security is falling by the wayside: while nearly 150 personal or corporate-owned mobile devices, on average, have full access to a U.S. company’s internal information, more than half of American organizations (57 percent) do not have an enforceable policy governing access for BYOD.

"Shadow IT is one of the issues that businesses are dealing with when it comes to mobile security. At BT, we believe companies should be proactive to overcome this issue," Jason Cook, vice president of security at BT in the Americas, told eWEEK. "Another area that can be challenging for businesses is the paradigm shift from asset-centric policies and controls to a user-centric security model. Access to applications and data follow the user even though the user may be connecting from multiple devices, locations and networks."

Surprisingly, 14 percent of U.S. organizations still do not have password protection, and only half (52 percent) report that their organization has IT security training for all.

Cook said there are several mobile security threats that impact businesses, including devices not being secured with passwords, lost or stolen devices and lack of VPN or firewalled networks.

"However, a significant risk that may be overlooked is the risk of fraud or user impersonation," he said. "As the consumerization of IT increases, so does the risk to businesses of consumer-centric security dependencies such as the reliance on a shared trust model with social networking. Theft of user credentials also significantly increases the probability of a target attack, which as why what we have seen in the news lately can be challenging even for organizations with a strong security program."

Cook explained these breaches have led to financial and reputational damage, and he sees mobile devices as a natural attack vector as businesses enable more mobile access.

In the next three to five years, IT decision makers in the United States expect mobile security risks to increase, including risks of malware infections (48 percent), malicious apps downloaded onto mobile devices (43 percent) and data breach attacks or error resulting from the introduction of mobile (40 percent).

Half of U.S. companies (50 percent) also see the Internet of things as a threat to network security. Beyond malicious attacks, staff attitudes remain a major threat to data security, and the report also revealed that 62 percent of U.S. IT decision makers do not believe that employees take the threat of mobile security very seriously.

Perhaps more worryingly, the report also found that 60 percent of respondents believe the CEO doesn’t take the threat of mobile security very seriously.