Cybersecurity as a Lip Service: Self-deception in the Corporate Cyber World

According to a report from Verizon, one-third of major cybersecurity breaches were traced to mobile devices. This number is probably lower than it really is because many companies don’t release details on how they were hacked. One reason they don’t want to give this information is because they are embarrassed to admit how lax their security was. The report seems to suggest that companies simply don’t know how to secure their endpoints, such as smartphones. In fact, 67% of organizations questioned said they weren’t really sure if they were securing their endpoints well enough.

So here’s the problem, and it’s not a new problem. More and more organizations are allowing their employees to access more data from their mobile devices because they realize this increases worker productivity. Workers, too, want the freedom to access corporate data so that they can work remotely. The dilemma is this: How can an organization allow its workers remote access to its valuable data when they cannot be sure if these workers are exposing the enterprise to a cyber attack? Additionally, how can companies give guidelines for these workers when they aren’t sure what those guidelines should be?

The Verizon report highlights the concern and confusion most companies have when it comes to securing their endpoints. 83% admitted that they thought that their companies were at risk from an attack that used this vector. Here’s a graphic showing this concern in some of the most affected sectors.

concern

Now, you would think, that if these organizations were so worried about being compromised through their endpoints, they would be spending more money on protecting them. Well, you may be surprised to find that just the opposite is true. As the report notes, “Almost half said they had sacrificed security to ‘get the job done,'” And the result of this sacrifice? “Nearly half of those that sacrificed security admitted to suffering a compromise.” And 62% of those compromised categorized the breach as major. This certainly seems like a clear case of unproductive prioritizing at best and simple incompetence at worst.

Most people just think that a security breach consists of a loss of data or important company secrets. But there are other repercussions of a cyber attack that are often not taken into account. These can be seen in the following chart based on companies that suffered a breach.

data plus

The chart does not show any penalties the companies may have had to pay for not properly protecting data or the cost of upgrading their security.

Keep in mind that companies are well-aware of the dangers that are inherent in the misuse of mobile devices. 83% said they understood the threat. In fact, of all cyber threats worrying organizations, those related to mobile devices lead the way by far.

mobile devices top concern

And although companies realize the dangers, they also seem to believe that their current defenses are good enough. It is a viewpoint that, under the statistical circumstances, comes close to being delusional. Despite claiming to understand the dangers posed by endpoints, 83% of organizations thought their existing security was effective. Over 75% believed they could quickly spot any endpoint problems. Yet, the statistics show otherwise. 63% of organizations didn’t know they had been breached until they were notified by a third party. And although most companies said they planned to beef up their cybersecurity in the coming year, if the past is any indication of the future, few really will.

Companies are well-aware that their main threat will come from employees or, more specifically, from careless employees misusing their mobile devices. They realize that employees will fail to or refuse to follow company guidelines. They know, for example, that employees will use public WIFI without a good VPN, download infected apps, or even lose their phones. This realization results in a lot of hand-wringing and not much more. The bad news is that criminals and nation-states have figured all of this out. They are now targeting endpoints more than ever. Here’s the latest threat report from Check Point which illustrates this.

2019 threats

In fact, research by Wandera, shows that the larger the company is, the greater the chance for at least one endpoint to be compromised. Here’s a test your company can take to determine your exposure.

wandera

So, here’s the situation. The threat of a breach originating at an endpoint is increasing, and, for larger organizations, it’s almost guaranteed. All enterprises are aware of this threat and, in addition, realize that they can’t really trust their employees to use their mobile devices securely. Yet, they continue to believe that somehow they have enough protection to detect and stop a breach. This is nothing but denial. In addition, although they all say they will increase their endpoint security, it is unlikely that they really will. This is because they believe that cybersecurity is expensive and tends to slow down their day to day operations.

Within this environment exists the possibility that there is also a disconnect between management and IT departments. After all, they do have different agendas. One is geared towards profits while the other is geared towards protecting data. Management may not completely understand how closely the two are linked. Some effort must be made to make these two factions work more closely as a team that is fighting a common foe. Often, it is only after a breach occurs and costs mount that this concept is understood.

Most major cybersecurity firms are working on improving endpoint protection. They understand this as the threat of the future as more and more devices become ‘smart’. Generally, they are working on software solutions that require active monitoring of endpoint use. InZero Systems, however, has developed a hardware-based solution which requires almost no monitoring. They have developed a smartphone with two independent operating systems, basically two phones in one, so that even the most careless employee cannot compromise corporate data. Expect to see more innovations in endpoint protection as attackers focus more and more on them and major breaches based on weak endpoints make the headlines.

As 5G networks develop, connectivity via numerous endpoints will increase logarithmically. If enterprises think the current landscape is dangerous, they haven’t seen anything yet.

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s