There's great news on the mobile security front: There aren't many cyberattacks and the malware is relatively benign. As a result, there isn't much to worry about and enterprises should spend their efforts securing non-mobile infrastructure. The bad news: Mobile security will matter at some point, most likely when companies button up vulnerabilities elsewhere.
That takeaway sticks out in Verizon's 2015 Data Breach Investigations Report. Among the key things to know:
Verizon, analyzing data from its Verizon Wireless unit, couldn't gather enough data on Apple iOS malware to deliver any findings. Beyond a few retooled Android exploits aimed at iOS little stuck out.
Before you start ranting about Android being insecure it's worth noting that most of the malware issues revolve around adware, an annoyance more than an enterprise killer.
However, 96 percent of mobile malware was targeted at the Android platform, based on FireEye data. It's worth noting that 95 percent of mobile malware has a shelf life of less than a month and 4 out of 5 samples lasted just a week.
So mobile is way secure right? Not really, said Jay Jacobs, an author of Verizon's report and security analyst at the company. "Mobile is not a preferred vector for attack. It gets visibility, but isn't a focus," said Jacobs.
Add it up and mobile just doesn't carry the dollar signs or glory that the desktop has. One reason is that smartphones and tablets don't have a lot of data on them and rely on corporate connections for valuable information. But the big reason is that cybercriminals have other easier targets to hit.
Think of mobile much like you do point of sale data breaches. Europe moved to chip and pin technology years ago and the U.S. decision to stick with magnetic strips for cards equated to a big welcome sign for cybercrime.
Once other areas of infrastructure are secured more, mobile may become a more enticing target.
Verizon said in its report:
With our first pass through the data, we found hundreds of thousands of (Android) malware infections, most fitting squarely in the adnoyance-ware category. In our second through eighteenth passes, we turned the data inside out but ended up just coming back to the malware. Finally, we stripped away the "lowgrade" malware and found that the count of compromised devices hung around 100 smartphones per week. The benefit of working with an internal team is that we knew how many devices were being monitored. The average of 100 smartphones per week is out of tens of millions of Android devices per week on the Verizon network. This puts our estimation at a fraction of the 0.68% infection rate (of all types of unwanted software) from Kindsight Security Labs' biannual report.
Jacobs said that enterprises need to monitor mobile security, but not necessarily focus heavily on it. Mobile security will matter at some point, but for now visibility and control of devices is most important. From Verizon's report:
We are not saying that we can ignore mobile devices; far from it. Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods that they're using now.