Most Android devices running outdated versions

Outdated iOS devices a threat to enterprise

A similar analysis of Apple iOS devices revealed that only 20% of iPhones run the latest Apple operating system version iOS 9.2, compared with just 6% of Android devices running the latest version 6.0 (known as Marshmallow).

Outdated iOS devices have well-known vulnerabilities such as Ins0mnia and Quicksand that make these devices susceptible to attacks.

Duo Security estimates more than 20 million mobile devices connected to enterprise networks are no longer supported by the device manufacturer. The devices therefore cannot be upgraded to the latest versions of the software, which would fix their vulnerabilities.

However, the security firm notes that there are many devices still on the market that cannot receive updates, meaning that even a new device may be a security concern for the enterprise.

Organisations need to educate users

While the findings of the study are concerning, Duo Security said that visibility and insight into the state of the devices accessing critical networks and applications is a powerful first step in securing the enterprise.

However, organisations are unlikely to be able to address this problem quickly if they leave mobile security entirely up to the IT department, without getting users to take some responsibility, said Henry Seddon, head of European operations at Duo Security.

“Users need educating, but organisations need to put in place systems that not only educate users, but can also encourage them and make it easy for them to upgrade to the latest versions of software,” he told Computer Weekly.

Failure to do this, he said, means systems will always tend to be out of date, which will open up organisations to malware and other forms of attack.

“It is up to everybody in the company to take responsibility for the company’s security and their own, and organisations need to provide the tools that stop them at key points, and encourage and enable them to follow best practice,” said Seddon.

Security recommendations

Duo Security also recommended that IT professionals implement the following measures to reduce the risk of compromised mobile endpoints:

• Establish basic mobile device security policies for the company and get buy-in from business managers.
• Enable all employees to use passcodes and fingerprint screen locks to prevent trivial access to sensitive data on mobile phones.
• Consider excluding phones that are jailbroken or rooted from access to corporate data and systems.
• Provide helpful tips and reminders to users to check for updates on personal devices accessing company data.
• Update or replace outdated hardware in use in the enterprise that may no longer be supported with security updates by the manufacturer.
• Recommend that employees using Android devices consider Nexus handsets with more frequent and direct platform update support.
• Address common update issues up front with guidance on problems related to updating mobile devices, such as providing tips on freeing space for updates.
• Use free tools to detect devices with particularly concerning vulnerabilities.