While data breaches make great headlines, what is often missing from those reports are the details on how the attackers got into the organization in the first place. Mobile devices can be a critical part of any cyber attack.
Based on a study of 588 IT and security leaders at Global 2,000 companies, a new report by the Ponemon Institute and Lookout examines the risk introduced by employees accessing increasing amounts of corporate data via their mobile devices and assigns a cost to a mobile-related breach.
The report found that for an enterprise, the economic risk of mobile data breaches, including direct operational costs, as well as potential maximum loss from non-compliance and reputational damage, could be as high as $26.4 million.
It also found that a mobile data breach is more common than many may think. 67 percent of organizations report having had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information.
With an average of 3 percent of employees’ mobile devices infected with malware at any point in time, that’s more than 1,700 mobile devices, in a typical organization, connecting to an enterprise network everyday.
Underestimating the impact of a mobile data breach
Another key issue revealed in this report is IT and security leaders’ gross underestimation of just how mobile their employees have become. Take customer records, one of the most at-risk types of data: on average, IT believes that 19 percent of employees can access customer records via mobile while 43 percent of employees say they have access to that data. With mobile data breaches happening in the majority of enterprises today, this visibility gap introduces unacceptable risk.
Mobile access to corporate data is rising rapidly
- Mobile access to corporate data increased 43 percent from 2014-2015
- Fifty-six percent of data accessible on PCs is also accessible on mobile devices
- Mobile data access is expected to increase at least 50 percent in the next 2 years.
Employees’ mobile devices are already causing costly data breaches
- Two thirds (67 percent) of respondents say it was certain or likely that their organization had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information
- Indeed, an average of 3 percent of employees’ mobile devices are believed to be infected with malware at any point in time. In an average Global 2,000 enterprise, that’s more than 1,700 infected devices connecting to the global network everyday
- An average enterprise spends up to $16.3 million per year, or $9,485 per infected device, to investigate, contain, and remediate mobile malware-based attacks
- A majority of threats are not being addressed. In an average enterprise, only 26 percent of devices are investigated and triaged, meaning there are more than 1,200 infected, but overlooked, devices in an enterprise at any given time
- If all 1,700+ malware infected devices were investigated and triaged, the average cost to the enterprise could be as high as $26.4 million.
Mobile security is largely a blind spot
- Only 36 percent of respondents say their organization is vigilant in protecting sensitive or confidential data stored on or accessed by employees’ mobile devices
- Perhaps because IT grossly underestimates their employees’ level of mobile access to corporate data
- There is evidence that this will change, with mobile security budgets projected to grow 37 percent in the next year.