Every year, we’ve seen the number of companies suffering mobile security compromises rise, and this year was no exception. Despite everything that’s at stake, many businesses still sacrificed security—and those that did were more likely to have been hit.
Are you ready?
Because more organizations are falling victim. Despite fewer cutting corners.
The problem just keeps getting bigger.
This is the third edition of the MSI, and each year we’ve seen the number of companies admitting to suffering a mobile- related compromise grow.
How much of this can be attributed to increased activity and improved success rates of cybercriminals, or companies becoming more aware of when a mobile device is involved, we don’t know for sure. But our data suggests that each played a part in the increase.
Fewer are cutting corners.
Despite the disappointing increase in the number of companies being hit, we did see a reduction in the proportion saying that they had knowingly compromised security.
However, at 43%, that’s still a lot of companies choosing to cut corners and putting their data, their customers’ information and their key business systems at risk.
Speed outweighs security.
This year, we added questions to find out why companies are knowingly exposing themselves to risks. The need to meet targets was the most commonly stated reason, whether it was time (62%) or money related (46%).
Convenience also came in the top three. This mirrors previous findings that showed a willingness to sacrifice “cumbersome” security processes for the sake of streamlining operations. Lack of budget and expertise trailed way behind.
It seems that many companies still see mobile security as an impediment to their business objectives rather than a business imperative in itself. But attitudes are changing. Eighty-seven percent of respondents said they were concerned that a mobile security breach could have a lasting impact on customer loyalty,1 and 81% said that a company's data privacy record will be a key brand differentiator in the future.
Who is suffering?
Everybody. All verticals were hit, from manufacturing (41% suffered a mobile-related compromise) to the public sector (39%). And companies of all sizes were hit—from small and medium-sized businesses (28%) to those with over 500 employees (44%).
Those that were hit felt the pain.
Two-thirds of those that suffered a mobile-related compromise said that the impact was major.
But it isn’t just the immediate consequences that companies need to worry about. The effects included downtime, damage to reputation and regulatory penalties.But it isn’t just the immediate consequences that companies need to worry about. The effects included downtime, damage to reputation and regulatory penalties. Fifty-five percent of those that said the compromise was major also said they suffered lasting repercussions.
Information, media and publishing companies, as well as financial services companies (both at 53%), were the most likely to say that the impact of the compromise was major, with lasting repercussions. These industries are particularly susceptible to damage to their reputations.
And putting it right took time and money.
Thirty-seven percent of respondents said that the compromise that they experienced was difficult and expensive to remediate. Retailers were the most likely to feel this, with 61% agreeing.
What’s driving change?
Unfortunately, for many organizations, the story is, “Get hacked, improve security.” In the past year, 43% of companies that had suffered a compromise had also significantly increased their mobile security spend. That number fell to 15% for those that hadn’t been compromised. By waiting until their fingers are burned, companies are putting their customer and business data at risk.
If companies aren’t going to be proactive, it increasingly looks like governments and industry bodies are going to force their hands.
Following the passage of the EU’s General Data Protection Regulation (GDPR) in 2016 and California’s Consumer Privacy Act in 2018—they came into force in May 2018 and January 2020, respectively—there’s been increased momentum behind comprehensive privacy legislation worldwide. In the U.S., several states, from Hawaii to Rhode Island, have initiated such legislation. Four other states, including Texas and Louisiana, have set up task forces to look into the issue—see Figure 7.
Twenty-nine percent said they’d suffered a regulatory penalty as a result of a mobile-related security compromise.
Over a third of U.S. residents live in a state where comprehensive privacy legislation has been enacted or is going through the legislative process.
To be considered comprehensive, legislation must include protection for citizens and obligations on organizations. Rights for data subjects include the right to access, the right to be forgotten (data deletion) and the right of correction. Duties placed on organizations include strict opt-in rules, mandatory notification of data breaches and limitations on processing data—including being transparent with subjects about how you will use their data.
Only 33% of companies said that regulatory penalties are a consequence they are worried about, but that could be because governments have given them adequate time to prepare. Sixty-seven percent said that increased regulation had driven them to spend more on security as a whole.
1 Based on survey commissioned for this report (see methodology section). Question asked of 75 respondents in the retail, hospitality and travel industries.
2 U.S. State Comprehensive Privacy Law Comparison, Mitchell Noordyke, IAPP, 2019, https://iapp.org/resources/article/state-comparison-table/
Services and/or features are not available in all countries/locations, and may be procured from in-country providers in select countries. We continue to expand our service availability around the world. Please consult your Verizon representative for service availability. For further details please contact us.