Enterprises have various ways of meeting the security threat posed by mobile devices that can access corporate data, ranging from tight device and information lock-down to modest controls.
That’s not good enough, says mobile management provider MobileIron Inc., which in its second Mobile Security and Risk Review says organizations continue to fall short when it comes to protecting corporate data on mobile apps and devices. As evidence it points to an analysis of customer data that shows only eight per cent of companies using its solution are enforcing OS updates, while less than five per cent are using app reputation or mobile threat detection software.
The survey also showed that 40 per cent of companies had missing devices — potentially dangerous if they aren’t password-protected or can be remotely erased — up from 33 per cent in Q4 2015, and that 27 per cent of companies had out-of-date policies (where a mobile IT administrator has changed a policy on a console but that change has not moved up to all devices under management), up from 20 per cent in Q4 2015.
“The velocity of mobile attacks is increasing but the latest data shows that enterprises are still not doing the things they could be to protect themselves,” James Plouffe, the vendor’s lead architect, said in a statement. “This lack of security hygiene demonstrates that enterprises are alarmingly complacent, even when many solutions are readily available.”
The numbers come from aggregated, anonymous usage data shared by MobileIron customers in seven countries (the U.S., United Kingdom, France, Spain, Germany, Belgium and Japan) and for the three month period ending June 30.
There was one oddity: The percentage of companies in which a mobile device management app was removed from one or more mobile devices increased from five per cent in Q4 2015 to 26 per cent. “While less than 1 per cent of devices fell into this category,” the report notes, “they were spread across more companies. The reason for this increase is not known. Nevertheless, the trend is puzzling given general awareness that even a single compromised device increases the attack surface and can introduce malware into the corporate network or enable the theft of sensitive corporate data that resides behind the firewall.” U.S. companies were the most likely to have unmanaged EMM devices (30 per cent) and U.K. companies were the least likely (17 per cent).
There was some good news: The number of compromised (jailbroken or rooted) devices was about the same — 10 per cent of companies reporting at least one compromised device in Q4 2015, compared to nine per cent in Q2 2016. On the other hand 53 per cent of companies had at least one device out of compliance with its policies in Q2 2016, the same as Q4 2015.
The MobileIron [Nasdaq: MOBL] report also said these mobile attacks either emerged or worsened in the last six months:
- Android GMBot, spyware that remotely controls infected devices in order to trick victims into providing their bank credentials;
- AceDeceiver iOS malware, designed to steal a person’s Apple ID;
- SideStepper iOS “vulnerability,” a technique that intercepts and manipulates traffic between an MDM server and a managed device;
- High-severity OpenSSL issues, vulnerabilities that can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion;
- Marcher Android malware, which mimics bank Web pages that trick users into entering their login information through e-commerce web sites.