There's great news on the mobile security front: cyberattacks are relatively rare and malware is relatively benign.
As a result, businesses should spend their efforts securing non-mobile infrastructure for now. However, mobile security will matter at some point, most likely when companies button up vulnerabilities elsewhere.
Those takeaways stick out in Verizon's 2015 Data Breach Investigations Report. Among the key findings in the new report:
- Verizon, analyzing data from its Verizon Wireless unit, couldn't gather enough data on Apple iOS malware to deliver any findings. Beyond a few retooled Android exploits aimed at iOS, little stuck out.
- Before you start ranting about Android being insecure, it's worth noting that most of the malware issues revolve around adware, an annoyance more than an enterprise killer.
- However, 96 percent of mobile malware was targeted at the Android platform, based on FireEye data. Still, 95 percent of mobile malware has a shelf life of less than a month and four out of five samples lasted just a week.
So mobile is incredibly secure? Not really, said Jay Jacobs, an author of Verizon's report and security analyst at the company. It's more that "mobile is not a preferred vector for attack. It gets visibility, but isn't a focus," said Jacobs.
Add it up and mobile just doesn't carry the dollar signs or glory that the desktop does. One reason is that smartphones and tablets don't have a lot of data on them and rely on corporate connections for valuable information. But the big reason is that cybercriminals have other easier targets to hit.
Think of mobile much like you do point-of-sale data breaches. Europe moved to chip and pin technology years ago and the U.S. decision to stick with magnetic strips for cards was the equivalent of a big welcome sign for cybercrime.
Once other areas of infrastructure are secured more, mobile may become a more enticing target.
"With our first pass through the data, we found hundreds of thousands of (Android) malware infections, most fitting squarely in the adnoyance-ware category. In our second through eighteenth passes, we turned the data inside out but ended up just coming back to the malware. Finally, we stripped away the 'lowgrade' malware and found that the count of compromised devices hung around 100 smartphones per week," according to Verizon's report.
"The benefit of working with an internal team is that we knew how many devices were being monitored. The average of 100 smartphones per week is out of tens of millions of Android devices per week on the Verizon network. This puts our estimation at a fraction of the 0.68% infection rate (of all types of unwanted software) from Kindsight Security Labs' biannual report."
Jacobs said that enterprises need to monitor mobile security, but not necessarily focus heavily on it. Mobile security will matter at some point, but for now visibility and control of devices is most important.
From Verizon's report: "We are not saying that we can ignore mobile devices; far from it. Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods that they're using now."
The story originally posted as "Mobile security: Largely a non-issue...for now" on ZDNet.