Many enterprises don't prioritize a particular risk unless they perceive that it is an imminent threat. Enterprises' willingness to prioritize threats may also change if they're presented with clear, attention-getting data about a large potential risk.
Low mobile malware encounter rates (the frequency with which a particular type of attack or malware is seen "in the wild") can lead enterprises to believe that the likelihood of losing data via mobile devices is also low.
Malware is just one of the ways data can be compromised on mobile devices
Malicious app-based attacks are not the only way enterprise data can be compromised through mobile devices. The Spectrum of Mobile Risk introduces a new way of looking at risks to sensitive enterprise data on the mobile device. The ways people configure their devices, the networks they connect to, and the apps they use all put sensitive information at risk.
For instance, apps may use permissions that siphon off data and store it on servers that have not been properly secured.
Using the Lookout Security Cloud, which ingests and analyzes device and security intelligence from over 100 million devices, Lookout has found that 30% of apps access the phone's address book, 30% of apps access the user's location, 31% access their calendar, 39% access the microphone, and 75% access the camera. With this much data flowing through applications that not aware of an enterprise's specific data sensitivities, the potential for compliance risk resulting in fines and diminished brand reputation increases.
Data leakage of this type has the potential to cause a headache to the enterprise who has internal and external regulatory compliance standards to maintain.
Out-of-date mobile operating systems provide another non-malicious risk to enterprise data. When employees do not update their operating systems, they leave serious vulnerabilities unpatched, rendering their devices particularly easy to pick off by, say, close-range Wi-Fi hackers. Using the Lookout Security Cloud, Lookout determined 1 in 1,000 iOS devices encounter an app-based threat (i.e., mobile malware), but enterprises need to be cognizant of risks beyond app-based threats. For example, if employees use an older version of iOS, the enterprise may have a risk level that's far higher than the average.
Avoid compliance fines and violations by getting visibility beyond malicious threats
Rather than looking at potential threat vectors, which is the traditional approach to security risk assessment, Lookout recommends a comprehensive and holistic solution that takes into account full Spectrum of Mobile Risk. We use our Mobile Risk Matrix to help enterprises understand the full spectrum of mobile-related risks they face, as it provides a template for beginning this type of analysis.
In this matrix, the horizontal axis spells out vectors: apps, devices, network, and web & content. It's the vertical axis, showing components of risk, that adds a second dimension many companies overlook: In addition to outright threats, there are also software vulnerabilities and behaviors & configurations.
Delving into the matrix, enterprises can see that the app-based threats are just one component of an enterprise's overall risk, comprising risks based on malicious apps that are aiming to steal data, provide unauthorized access, or otherwise wreak havoc. Device configurations, for example, may be of high concern for enterprises. If an employee's Android phone is rooted - of which 5 in 1,000 are, according to Lookout Security Cloud data - it leaves that device far more susceptible to attack later.
Data compromise on mobile is a risk today
Mobile security strategies can not be reliant on juicy stats about mobile attacks taking over the world. In fact, that is just one part of a much larger story of data compromise on mobile devices. Enterprises must consider the all aspects of mobile vectors and components in order to create a full, contextualized picture of the risks to sensitive data. Failing to do so means the company is at a higher risk of sensitive data loss, risking its compliance, and leaving it unable to securely embrace mobile productivity.