Business leaders had a lot on their plates over the past year, and many have let cybersecurity fall by the wayside.
Nearly half of businesses say work-from-home policies have hurt their cybersecurity practices, according to Verizon’s (VZ) 2021 Mobile Security Index, published Tuesday. The report includes findings from a survey of 856 professionals responsible for buying, managing and securing mobile and internet of things (IOT) devices for companies.
The results are pretty dismal if not terribly surprising — 45% of respondents say their companies are sacrificing mobile security to just “get the job done.” Last spring’s rapid transition to remote working was a huge undertaking for IT teams, and a number of high profile security breaches last year exposed the challenges of securely running a remote team.
The WFH cyber-threat
Considering the potential cybersecurity pitfalls of working from home is especially important as many companies consider maintaining a remote working model either full- or part-time even after the pandemic ends.
“The pandemic caused a global shift in the way organizations operate … While businesses focused their efforts elsewhere, cybercriminals saw a wealth of new opportunities to strike,” Verizon Business Chief Revenue Officer Sampath Sowmyanarayan said in a statement. “With the rise of the remote workforce and the spike in mobile device usage, the threat landscape changed, which for organizations means there is a greater need to hone in on mobile security.”
Employees are increasingly using mobile devices for key work purposes — maybe checking a text from their boss on their smartwatch while on a morning walk or updating a spreadsheet on their phone while waiting for a Peloton class to start.
While cybersecurity risks can take many forms, mobile devices present unique challenges. Phishing attacks may be more successful on mobile devices, because the smaller screen can make it harder to notice malicious emails or websites designed to imitate legitimate ones. Mobile devices are also easier to lose or have stolen than, say, a laptop, which in turn could lead to loss of critical data and productivity.
As growing numbers of companies adopted cloud-based platforms during the pandemic, mobile devices could also be exploited to steal log-in credentials and data from virtual work systems, the report says.
More than one in five companies surveyed said their mobile-device security was compromised, involving the loss of data or operations disruptions in the preceding year. And two thirds of respondents said that mobile device-related risks increased in the past year.
“Companies are still failing on the basics,” the report said, which include such simple protections as encrypting sensitive data across open, public networks and restricting access to data on a “need-to-know” basis.
Bad guys get smarter
And even as companies scramble to improve their cybersecurity practices, bad actors are upping their own games.
“[Cybercriminals] are getting increasingly creative at finding new ways to fool users, break through companies’ defenses and compromise organizations’ systems and cloud-based apps,” the report states. Mobile phishing attempts, for example, increased by 364% in 2020 compared to the prior year.
And while phishing — an attack wherein bad actors impersonate a legitimate company, service or person in order to steal sensitive data or install malware on a user’s device — presents a huge threat, almost half of US employees don’t know what it is, according to a separate study from security software firm Proofpoint. That suggests companies still have much work to do in equipping workers to avoid threats.
There are a range of steps companies can take to protect themselves, and many services available to help with this. But some firms just need to start with the basics: Nearly half of companies don’t give employees regular training on mobile-device security, according to the Verizon report.
“Teach your employees how to spot signs of phishing—being suspicious is good,” it states. That should include checking that email addresses match who they purport to be coming from, watching out for misspelled links in emails and being suspicious of incoming phone calls from unfamiliar numbers.
“And, of course, it should be a rule to never supply login credentials or personally identifiable information in response to any emails or calls,” the report states.