conejota - Fotolia

Enterprises dangerously complacent about mobile threats, says report

Businesses must ensure mobile security controls are deployed and enforced on every device used to access corporate data and apps, according to MobileIron’s latest mobile security and risk review

Enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices, a report has revealed.

Only 8% of companies are enforcing operating system updates and less than 5% are using app reputation or mobile threat detection software, according to the Mobile Security and Risk Review for Q2 2016 by security firm MobileIron.

This is despite the fact that several new mobile attacks have emerged that threaten enterprises with the loss of both personal and business data.

However, the report says most mobile attacks are re-using old tactics against mobile-specific services, such as SideStepper’s use of man in the middle (MitM) attacks against mobile device management (MDM) services rather than employing new techniques or exploiting new vulnerabilities.

“The velocity of mobile attacks is increasing, but the latest data shows that enterprises are still not doing the things they could be to protect themselves,” said James Plouffe, lead architect at MobileIron.

“This lack of security hygiene demonstrates that enterprises are alarmingly complacent, even when many solutions are readily available,” he added.

The following mobile attacks have either emerged or worsened in the past six months:

  • Android GMBot: This spyware remotely controls infected devices to trick victims into providing their bank credentials.
  • AceDeceiver iOS malware: This is designed to steal a person’s Apple ID. 
  • SideStepper iOS “vulnerability”: This technique was discovered to intercept and manipulate traffic between an MDM server and a managed device.
  • High-severity OpenSSL issues: These vulnerabilities can potentially affect large numbers of applications and services, which could ultimately jeopardise enterprise data-in-motion.
  • Marcher Android malware: This has evolved to mimic bank web pages that trick users into entering their login information through e-commerce websites.

Despite these new and emerging mobile threats, mobile security practices remain largely unchanged, the report said.

Precursor to a breach

Security incidents are often the precursor to a breach, the report said, because they leave a device or app vulnerable, which can put enterprise data at risk.

The second quarter of 2016 saw a number of trends in employee compliance incidents and enterprise security practices, including:

  • Missing devices: 40% of companies had missing devices, up from 33% in Q4 2015.
  • Out-of-date policies: 27% of companies had out-of-date policies, up from 20% in Q4 2015.
  • Enforcing OS updates: 8% of companies were enforcing OS updates, which was comparable to Q4 2015.
  • App reputation software: Less than 5% of companies deployed app reputation software, which was comparable to Q4 2015.

However, UK businesses were found to have the fewest devices out of compliance – 39% compared with the global average of 50%. UK businesses also had the fewest compromised devices – 4% compared with the global average of 9%. And the UK had the fewest companies that reported staff removing MDM software – 17% compared with the global average of 26%.

The top 10 consumer unmanaged apps most often blacklisted by enterprises changed from Q4 2015 to Q2 2016, with the addition of Line and Evernote.

The top 10 consumer unmanaged apps most often blacklisted in Q2 2016 include:

  • Dropbox
  • Facebook
  • Angry Birds
  • Skype
  • Line
  • Box
  • OneDrive
  • Google Drive
  • Twitter
  • Evernote

 “When an unmanaged app that can potentially access corporate data or bypass corporate security measures achieves broad consumer adoption, IT departments look to blacklist it because they can’t protect corporate data in an app they don’t manage,” said Plouffe.

Top third-party apps

There were also changes in the top third-party (managed) apps most often deployed by enterprises, with new entrants including Accellion, Acronis Access, Breezy, PocketCloud and Roambi Analytics.

Goodreader, Google Docs, Microsoft Office Suite, Skype for Business and Xora Mobile Worker dropped off the top 10 list.

Top third-party apps that were most often deployed by enterprises in Q2 2016 included:

  • Salesforce
  • QuickOffice
  • Evernote
  • Breezy
  • Cisco AnyConnect
  • Accellion
  • GoodReader
  • Cisco Webex
  • Box
  • Roambi Analytics

Government organisations are known for having some of the most stringent security requirements. Paradoxically, the report said, extensive approval processes make it difficult for these organisations to keep pace with change, which can make them more vulnerable.

Globally, government organisations are less prepared to deal with security incidents than the global average:

  • 61% of government organisations have at least one non-compliant device, compared with the global average of 53%.
  • 48% of government organisations have missing devices, compared to the global average of 40%.
  • 34% of government organisations have devices operating under outdated policies, compared to the global average of 27%.

The share of iOS devices grew from 78% in Q4 2015 to 81% in Q2 2016. The share of Android devices remained flat at 18% over the same period. In the UK, 83% of mobiles covered in the report were running iOS, compared with 16% running Android.

The report concluded by recommending that organisations protect everything and enforce mobile security.

Enterprises typically manage only a fraction of mobile devices through enterprise mobility management (EMM), the report said, pointing out that every unmanaged device is an opportunity for attackers to steal company data.

Read more about mobile security

“IT must ensure mobile security controls are deployed and enforced on every device used to access corporate data and apps,” the report said.

Gaining user trust is the first step to maintaining EMM controls on mobile devices, but IT should not put enterprise security exclusively in the hands of users, the report said.

According to MobileIron, employees should not be allowed to remove EMM security controls without IT’s approval.

“Moving forward, IT should consider deploying all corporate-liable devices using the Apple Device Enrollment Program (DEP), Samsung KNOX or Android for Work Device Owner to prevent users from deleting or sidestepping corporate security policies on these devices.

The report is based on aggregated, anonymous usage data shared by MobileIron customers that was compiled between 1 April and 30 June 2016.

Read more on Endpoint security