February 23, 2016
A Mobile Data Breach Could Cost an Enterprise $26.4 Million
SAN FRANCISCO, February 23, 2016 -- Lookout, the global leader in mobile security, in partnership with Ponemon Institute, an independent research company focused on privacy, data protection, and information security, today released The Economic Risk of Confidential Data on Mobile Devices in the Workplace. Based on a study of 588 IT and security leaders at Global 2,000 companies, this report examines the risk introduced by employees accessing increasing amounts of corporate data via their mobile devices and assigns a cost to a mobile-related breach. While data breaches make great headlines, what is often missing from those reports are the details on how the attackers got into the organization in the first place. This new research from Lookout and Ponemon reveals that mobile devices can be a critical part of any cyber attack.
The report found that for an enterprise, the economic risk of mobile data breaches, including direct operational costs, as well as potential maximum loss from non-compliance and reputational damage, could be as high as $26.4 million. It also found that mobile data breaches are more common than many may think. Two-thirds (67 percent) of organizations report having had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information. With an average of 3 percent of employees’ mobile devices infected with malware at any point in time, that’s more than 1,700 mobile devices, in a typical organization, connecting to an enterprise network everyday.
"While many organizations still consider it ‘early days’ in their mobile deployments, this does not mean they should be ‘early days’ in their security," said Craig Shumard, former Cigna CISO and current cybersecurity advisor. "It's never been more clear that mobile devices can be a critical part of the attack equation. With the rise in access to corporate data via mobile devices, those devices will become bigger targets for the bad guys. And the cost to the enterprise will only increase."
Another key issue revealed in this report is IT and security leaders’ gross underestimation of just how mobile their employees have become. Take customer records, one of the most at-risk types of data: on average, IT believes that 19 percent of employees can access customer records via mobile while 43 percent of employees say they have access to that data. With mobile data breaches happening in the majority of enterprises today, this visibility gap introduces unacceptable risk.
“As the Lookout/Ponemon research shows, employees are dragging companies into the mobile era,” said Aaron Cockerill, VP of Products at Lookout. “In 2016 and beyond, enterprises need to focus on introducing mobile security measures that safely enable productivity on mobile devices, rather than stop people from working the way they want to.”
Highlights from The Economic Risk of Confidential Data on Mobile Devices in the Workplace include:
Mobile access to corporate data is rising rapidly.
- Mobile access to corporate data increased 43 percent from 2014-2015.
- Fifty-six percent of data accessible on PCs is also accessible on mobile devices.
- Mobile data access is expected to increase at least 50 percent in the next 2 years.
While IT is still defining mobile risk, employees’ mobile devices are already causing costly data breaches.
- Two thirds (67 percent) of respondents say it was certain or likely that their organization had a data breach as a result of employees using their mobile devices to access the company’s sensitive and confidential information.
- Indeed, an average of 3 percent of employees’ mobile devices are believed to be infected with malware at any point in time. In an average Global 2,000 enterprise, that’s more than 1,700 infected devices connecting to the global network everyday.
- An average enterprise spends up to $16.3 million per year, or $9,485 per infected device, to investigate, contain, and remediate mobile malware-based attacks.
- A majority of threats are not being addressed. In an average enterprise, only 26 percent of devices are investigated and triaged, meaning there are more than 1,200 infected, but overlooked, devices in an enterprise at any given time.
- If all 1,700+ malware infected devices were investigated and triaged, the average cost to the enterprise could be as high as $26.4 million.
Mobile security is largely a blind spot today, but there are signs of improvement.
- Only 36 percent of respondents say their organization is vigilant in protecting sensitive or confidential data stored on or accessed by employees’ mobile devices.
- Perhaps because IT grossly underestimates their employees’ level of mobile access to corporate data. Examples:
- IT believes 19 percent of employees can access customer records via mobile while 43 percent of employees say they have mobile access to that data.
- With confidential or classified documents, it’s 8 percent compared to 33 percent.
- There is evidence that this will change, with mobile security budgets projected to grow 37 percent in the next year.
The full report is available for download here. An infographic of the findings can be viewed here.