Looking ahead

Mobile Security Index
2021 Report

Please provide the information below and then check your email for a link to view the online Verizon Mobile Security Index report.

Thank you.

You will soon receive an email with a link to confirm your access. When you click to confirm from your email, your document will be available for download.

If you do not receive an email within 2 hours, please check your spam folder.

Thank you.

You may now close this message and continue to your article.

  • Drivers of change



    In the previous edition of this report, we talked about the evolution of privacy legislation. That’s still a factor–almost three-quarters (73%) of our respondents said that legislation is driving action—but about as many said the same thing a year earlier (74%).

    Since our 2020 report, U.S. legislators have had a general election and a pandemic to contend with. Despite this, Nevada signed new comprehensive privacy legislation92 and Iowa, Michigan, Mississippi, New Hampshire, South Carolina, Virginia and Wisconsin joined the list of states working on such rules.93 This means about half of Americans now live in a state where comprehensive privacy legislation has been enacted or is going through the legislative process.

  • Figure 68
  • IT teams are struggling to reconcile demands.

  • The pressure on businesses to innovate and reimagine themselves is high. It was high before COVID-19, and it’s likely to be even higher afterward.

    The pandemic was an outlier that many companies weren’t prepared for. Even some of the best-managed, most IT-literate companies found that their business models and infrastructure weren’t as resilient and flexible as they thought.

    But over half (56%) of respondents said that cybersecurity challenges are holding back their digital transformation. A similar proportion (58%) said that they struggle to reconcile differing mobile demands from across the organization.

  • Figure 69
  • Traditional models are broken.

  • We can tell that traditional security models are no longer adequate as respondents were almost as concerned about security issues caused by people going around policy for convenience as about people committing malicious acts for financial gain.

  • Figure 70
  • The future

  • So long, perimeter.

    It’s somewhat ironic to be talking about the end of perimeters when so many people have been forced to stay at home since our previous report. The idea of the end of the perimeter isn’t new. The Jericho Forum began advocating the concept of deperimeterization in 2003. It’s not just the growth in the use of mobile devices that has been behind this trend; the increased use of cloud services and shift toward partner ecosystems have also driven interest.

    Today, applications and data are everywhere—in company-owned data centers, in the cloud, on mobile devices and so on. Consequently, many companies struggle to maintain complete visibility into their applications and data, let alone control and manage who has access to those assets.

    Many organizations have tried to overcome these issues using multiple point products, such as SWGs, firewalls and VPNs. However, with data storage and processing moving to the cloud, much traffic now bypasses VPNs and on-premises firewalls. As a result, organizations have been looking for an alternative that can accommodate both cloud and data center applications.

    Zero trust network access

    Many traditional security models rely on the notion of a perimeter, a bit like the old idea of a castle. The good guys are on the inside with “barbarians at the gate.” In the digital world, this perimeter is enforced by VPNs, firewalls and other security devices on the edge. Once inside, there may be additional authentication required to access some resources, but you’re free to wander the corridors. The paradigm could be described as “trust, but verify.”

    In contrast, the thinking behind zero trust network access (ZTNA) could be explained as “trust no one.” Resources are hidden and only accessible through a trust broker. Even when you have obtained access to one resource, you can’t even “see” other resources. As an analogy, think of a burglar breaking into a house. In the perimeter model, some of the internal doors may have additional locks. In the ZTNA model, the burglar can’t even see that there are other doors.

    ZTNA isn’t a technology. It’s often described as a security framework. It requires multiple technologies to implement. See Figure 72.

  • Figure 71
  • One of the big benefits is that ZTNA doesn’t depend on the notion of a perimeter and so is appropriate for both on-premises and cloud-based resources. According to Gartner, 90% of those implementing ZTNA are using an as-a-service approach.94

  • Secure access service edge

    Secure access service edge (SASE, pronounced “sassy”) is also not a security technology. It’s an architecture—originally proposed by Gartner, a leading research and advisory firm—that is designed for the mobile-first and cloud-first world.

    It reflects the decentralized architectures that companies now operate or are moving toward. It integrates network and security services into a single, distributed, cloud-centric solution that protects all traffic, applications and users. It encompasses ZTNA, CASB, Data Loss Prevention and much more.

    This approach helps organizations deploy, manage and scale infrastructure securely. Its flexibility makes it easier for companies to scale their security infrastructure as they grow, without having to reconfigure the central architecture. The SASE model also enables organizations to support on-premises and cloud-based applications without requiring separate infrastructure as with conventional proxy- and software-defined-perimeter-based solutions.

    It’s still early days.

    ZTNA and SASE are both relatively new concepts and, accordingly, adoption is still low. However, 80% of organizations said they are more likely to evaluate a ZTNA solution as a result of the events of 2020.95

  • Figure 72
  • Figure 73
  • Conclusion

  • It’s highly unlikely—especially if you are reading it soon after its release—that you are reading this report in “the office.” And if you are reading a digital copy, it’s pretty likely that you downloaded it over a wireless network—quite possibly one not owned or controlled by the organization that you work for. That’s the reality of the modern workforce.

    Much has been said about the impact of COVID-19 on working practices, but things have been changing for many years. Mobile devices are a fundamental part of this. As devices have become more powerful, aided and abetted by cloud-based services, companies have found more ways to make use of them. And that cycle continues; 5G promises to unleash a whole new wave of innovation.

    Unfortunately, as devices have grown more powerful, they’ve become more appealing to those with malicious intentions. Solutions have evolved, but, as we’ve seen, even when tools are in place, people don’t always use them. 

  • Part of the problem is the gulf between how mobile devices and remote workers have been treated compared to others.

    Recently, new security models that recognize the mobile-first, cloud-first reality of modern business have emerged. These promise to make mobile device security better for all concerned: the company that wants to protect valuable systems and data; the admins that have to manage and secure devices; and the users that depend on these devices to be productive. It’s still early days, but we expect these models to rapidly gain ground.

    Much as how mobile devices are managed and secured in merging with other devices, there remain distinct differences between how these devices are used. In the past, terms like “home worker” and “mobile worker” have been used interchangeably. As the world recovers from the COVID-19 pandemic and working patterns settle to a new normal, we expect the important differences between working personas to become more evident. 

  • There’s a lot of work to do in bringing processes and policies up to date for what lies ahead.

    All this raises the question of whether there will be a need for a Mobile Security Index 2022? In many ways, that’s down to you, our readers. We’d love to hear whether you’ve found this report useful and how you see mobile device security changing. Tell us which findings you’ve found interesting and which you disagree with. Let us know what we’ve missed and what you’d like to see in the future.

    • 92 To be considered comprehensive, privacy legislation must include protection for citizens and obligations on organizations. Rights for data subjects include the right to access, the right to be forgotten (data deletion) and the right of correction. Duties placed on organizations include strict opt-in rules, mandatory notification of data breaches and limitations on processing data—including being transparent with subjects about how their data will be used.
      93 The International Association of Privacy Professionals (IAPP). https://iapp.org/resources/article/state-comparison-table/
      94 Gartner, Market Guide for Zero Trust Network Access, June 2020.
      95 NetMotion, SDP report, June 2020. A survey of over 600 network and IT professionals across the U.S., the U.K. and Australia.
      96 Asavie, The Future of the Secure Office Anywhere, October 2020. Based on detailed interviews with 1,005 key business stakeholders, including C-Suite, IT and cybersecurity leaders, across North America, EMEA and Asia-Pacific.
      97 Ibid.

Let's get started.