Mobile threats pose negligible risk to enterprise security, says Verizon

Latest Verizon Data Breach Investigations Report suggests mobile threats don't pose a big problem for enterprise security teams after all

Concerns about the risk posed to the enterprise by mobile threats are “truly negligible”, according to research from Verizon Enterprise Solutions.

The 2015 version of the organisation’s annual Data Breach Investigations Report features insights gleaned from an analysis of 2,100 confirmed data breaches and 80,000 security incidents that have been reported over the past 12 months.

For the first time, this year’s report looked at the issue of mobile security, concluding that concerns about the risk posed by mobile threats tend to be overblown, thanks to some further input provided by the team at Verizon Wireless.

“We stripped away the ‘low-grade’ malware and found the count of compromised devices was truly negligible,” the report stated.

Furthermore, 95% of mobile malware threats persist for less than a month, the report found, while four out of five lasted beyond a week, adding more weight to Verizon’s conclusion that it’s not as big a concern as people may think.

“We’re not saying that we can ignore mobile devices; far from it. Mobile devices have clearly demonstrated their ability to be vulnerable,” the report continued.

“What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritise our resources to focus on the methods they’re using now.”

Read more about enterprise security

  • There was a 40% increase in the number of large companies targeted by cyber attacks in 2014, as criminals hijack infrastructures and attack from within, according to IT security firm Symantec.
  • Companies must do a better job of vetting who they connect with via the cloud, as vulnerabilities in their business partners’ security systems could leave them at risk of attack too.

True cost of data breaches

In the report, Verizon also claimed to have created a more credible method for estimating the financial cost of a data breach on a per-record lost basis, based on an analysis of 200 insurance claims made by data breach victims.

This is the first time the report has sought to put a figure on the total cost of data breaches, having previously focused on the methods used by hackers to infiltrate networks, such as phishing campaigns and malware propagation techniques.

Unlike other models that seek to establish the total cost-per-record for a data breach, Verizon’s calculation takes into account both the type and amount of data stolen.

This is then used to present users with a range of figures depending on the sensitivity of the information pilfered, with a 95% degree of confidence.

For example, a data breach that results in 10 million records stolen could cost, on average, between $2.1m and $5.2m. However, the report acknowledged that, in extreme circumstances, a data loss incidence of this magnitude could end up costing up to $73.9m.

The industry’s preferred method of calculating this kind of figure typically involves dividing a sum of all loss estimates by the total number of records lost, the report states, which returns a figure of around $201 per record lost.

But this fails to take into account “real-world loss data” and, contrary to advice, is often applied to breaches involving 100,000 or more records, claims Verizon.

Where Verizon's formula is concerned, the report acknowledges there is still some room for improvement, particularly given the wide range of figures it returns.

“At least we have improved on the oversimplified cost-per-record approach, and we’ve discovered that technical efforts should focus on preventing or minimising compromised records,” the report stated.

Mike Denning, vice-president of global security for Verizon Enterprise Solutions, added: “We believe this new model for estimating the cost of a breach is ground-breaking, although there is definitely still room for refinement.

“We now know that it’s rarely, if ever, less expensive to suffer a breach than put the proper defence in place.”

Read more on Mobile apps and software