The state of mobile security

Mobile Security Index
2021 Report

Please provide the information below and then check your email for a link to view the online Verizon Mobile Security Index report.

Thank you.

Thank you.

You may now close this message and continue to your article.


  • Each edition of this report has seen the number of companies suffering mobile security compromises rise. Until now. While this is good news, there are many reasons to believe that the picture isn’t as rosy as this finding might suggest. More than one in five surveyed companies had experienced a compromise involving a mobile device in the preceding 12 months. And further, the severity of the consequences remained high.


  • Compromises may
    be down, but the
    threats are growing.

  • Fewer companies were aware of
    successful mobile-related attacks.

    This is the fourth year that Verizon has published this report. And this time the percentage of companies that admitted to having suffered a mobile-related security compromise is the lowest we’ve seen—just 23%.3  But hold the Champagne. Nearly one in four companies suffering a mobile device attack is not cause for celebration.

  • By way of comparison, a recent report by Thales noted that 26% of global respondents had experienced a data breach of any kind in the previous 12 months.[1]

    One factor affecting these results is that the pressure on companies to sacrifice security was higher due to the measures needed to cope with COVID-19. This is highly likely to have inflated the sacrifice figures.

    Companies were also likely to have been distracted. This could mean that

  • they haven’t spotted compromises, or if they did spot them, they have not thoroughly traced them back to identify all involved sources.

    It’s also likely that cybercriminals were still modifying their methods when we did our survey. While attacks like phishing could continue as normal—and in fact COVID-19 gave hackers new opportunities—these attacks are less likely to be traced back to a device type.

    • Figure 1
    • By way of comparison, a recent report by Thales noted that 26% of global respondents had experienced a data breach of any kind in the previous 12 months.5

      One factor affecting these results is that the pressure on companies to sacrifice security was higher due to the measures needed to cope with COVID-19. This is highly likely to have inflated the sacrifice figures.

      Companies were also likely to have been distracted. This could mean that they haven’t spotted compromises, or if they did spot them, they have not thoroughly traced them back to identify all involved sources.

      It’s also likely that cybercriminals were still modifying their methods when we did our survey. While attacks like phishing could continue as normal—and, in fact, COVID-19 gave hackers new opportunities—these attacks are less likely to be traced back to a device type.

    • The risks remain high.


    • Companies see themselves as at risk.

      Despite the drop in known compromises, more than one in five companies experienced the loss of data or significant disruption to operations, or both. Just 14% of respondents thought that there was little or no risk associated with mobile devices.

    • Figure 2
    • More than two-thirds of respondents said that the risks associated with mobile devices had increased in the past year. And half (50%) said that mobile device risks are growing faster than others.

    • Figure 3
    • Figure 4
    • Companies are still failing on the basics.

      Since the first edition of this report, back in 2018, we have tracked how many companies have had four basic protections in place. These precautions were chosen based on some of the recurring problems identified in our sister publication, the Verizon Payment Security Report.

      Over the years, the share of companies in compliance with these protections hasn’t changed much. Until now. In previous reports, the share of companies in compliance with all four hovered around 12%, give or take 1 percentage point (pp). In our latest review, just 9% had all of them in place.

    • The four basic protections

      Which of the following statements match your organization’s security policies?

      • We change all default/vendor-supplied passwords
      • We always encrypt sensitive data when sent across open, public networks
      • We restrict access to data on a “need-to-know” basis
      • We regularly test our security systems and processes
    • Figure 5
    • Figure 6
      • Find out more.

      • Learn more about compliance with the Payment Card Industry Data Security Standard (PCI DSS) in the Verizon 2020 Payment Security Report (the ninth edition).

        verizon.com/paymentsecurityreport

        Despite not even having some of the most basic precautions in place, most respondents thought that any security or misuse issues would be spotted quickly. This mirrors our findings in previous years. 

    • Companies remain confident in their defenses.

      Despite the risks and numerous indications throughout our survey that companies have insufficient defenses in place—both in terms of security solutions and processes—companies were confident that they would spot compromises and misuse quickly.

    • Figure 7
    • Figure 8
    • This isn’t new; we’ve seen similar confidence in our previous surveys. Nor is the fact that despite this, companies realize that they have more to do. In our latest survey, 81% of respondents agreed that organizations need to take the security of mobile devices more seriously.

    • All 856 respondents.
      Ibid.
      Thales Data, Threat Report Global Edition, 2020. Based on research carried out by IDC in November 2019.

    Let's get started.