conejota - Fotolia

MobileIron: Corporate IT policy and mobile device security are mismatched

MobileIron report identifies a gap between security policy and the actual deployment of that policy on mobile devices

Research from enterprise mobility services company, MobileIron, has found that almost a third of its customers have at least one outdated mobile policy.

The Mobile Security and Risk Review study, based on security analytics collected from 7,800 MobileIron customers between 1 October and 31 December 2016, analysed mobile Android, iOS and Microsoft Windows use in enterprises.

Out of date policies occur when a security policy is changed, but it is not reflected on the user’s mobile device.

According to MobileIron, this can occur if users have a device that they use infrequently or receive a new device and stop using their old device, resulting in scenarios where a device either connects infrequently or “fades away”, preventing it from receiving updates.

One of the areas where security has been improving is updating operating system (OS) software. The majority of regions and verticals saw an increase in the percentage of companies enforcing mobile OS updates.

Security-focused industries – such as financial services (12%), government (11%) and healthcare (12%) – are enforcing OS updates at a greater rate than the global average of 9%.

Companies in Belgium and the Netherlands (both at 14%) were the most likely to enforce OS updates, while Japanese companies (3%) were the least likely, MobileIron’s research found.

MobileIron urged security chiefs to block corporate access on devices running unauthorised mobile apps, such as those “side-loaded”.

The top blacklisted apps among its corporate customers include Dropbox, Facebook, Twitter, Skype, OneDrive, Outlook and Google Drive.

Read more about mobile security

The report stated: “Organisations should control side-loaded configurations and apps by monitoring for ‘unmanaged’ configuration and provisioning profiles on iOS.

“For Android, disabling ‘allow untrusted sources’, as well as monitoring app permissions – such as blacklisting apps that request the device admin permission – will reduce risk of unauthorised changes to configurations and apps.”

However, its research found that while most organisations spent time creating policies, nearly half of the companies surveyed did not take an action such as blocking network access.

This may be because in many low-risk scenarios, the action taken is to alert the employee or IT administrator to request manual remediation, MobileIron noted. It recommended automating policy enforcement to protect against future mobile attacks.

Read more on Mobile hardware

Data Center
Data Management