For the past four weeks Lookout has dived into a number of key findings straight from the mouths of security and IT professionals you work with every day. This is week four. Check out all of the blogs in the series:
- Week 1: Mobile devices — frequently a part of broader cyber attacks
- Week 2: It’s 9am, do you know where your data is?
- Week 3: How global enterprises are protecting themselves against mobile attack
- Week 4: Straight to costs: What a mobile data breach will do to your bottom line
With the average cost to triage a mobile malware infection at $9,485, IT and security departments could spend a total of $26.4 million annually.
At any given point in time, 3% of mobile devices are infected by malware, according to a 2016 study from The Ponemon Institute. An average enterprise could spend up to 13% of its total IT budget on triaging mobile malware infections alone.
Real people triaging real threats
Over half (54%) of IT and security professionals reported that a mobile malware infection occurred in their organization in the past 24 months, according to the study. Another 12% did not know either way.
This is an expensive task that may involve digital forensics, IT security employee time to perform an investigation, diminished employee productivity while the device/accounts are triaged, and broader potential brand implications if the data breach was widespread.
Despite the impact, IT security departments expect further issues — 65% expect a mobile malware infection to a occur in their organization in the future.
Today, typically only 26% of those infections are triaged. This is likely because IT and security departments don’t have the visibility into the risk profile of a device. It is no longer enough to manage mobile devices, knowing what devices connect to a corporate network or access corporate data. Organizations need to know if that device is currently running any malicious or risky applications.
Calculating the cost of mobile malware infections
Here’s the impact of triaging these malware infections on an IT security budget, considering that at any given moment 3% of devices are infected by malware:
As noted before, there are a number of tasks and other issues involved in triaging a piece of malware and remediating the event. The Ponemon Institute calculated these figures based those tasks and issues, calling them “direct” and “indirect” costs. Here’s how that breaks down:
For the indirect costs, The Ponemon Institute calculated a worst case scenario dollar figure, or the “potential maximum loss” (PML). The following table is an itemized list of those direct and indirect costs:
The budget is there — and increasing
The budget to take care of these threats, and the costs associated, exists. Today’s average enterprise has an IT budget of around $195,000,000, with 14% earmarked for security spend.
Today’s $27,300,000 annual security IT budget is projected to increase to $32,760,000, a 20% jump, in the next year. Today’s current annual budget for mobile security is $4,368,000, set to increase 37% to $5,984,160 in the next year.
This is good news for those departments looking to mitigate mobile risk and gain insight into the general health of the mobile devices accessing sensitive corporate data.
About the Data: The Ponemon Institute surveyed 588 IT and IT security professionals who are employed in Global 2000 companies and the public sector who are familiar with their organization’s management and security of mobile devices used in the workplace. In addition, they have responsibility for monitoring or enforcing the security of mobile devices used in the workplace, including employee-owned devices, also known as BYOD. Get the full report for a detailed explanation of the survey methodology.
Book a personalized, no-pressure demo today to learn:
- How adversaries are leveraging avenues outside traditional email to conduct phishing on iOS and Android devices
- Real-world examples of phishing and app threats that have compromised organizations
- How an integrated endpoint-to-cloud security platform can detect threats and protect your organization