Mobile device management (MDM) and enterprise mobility management (EMM) company MobileIron (NASDAQ:MOBL) has released the second edition of its Mobile Security and Risk Review while attending the 2016 U.S. Black Hat conference in Las Vegas, which runs from July 30 to August 4.
The report, based on aggregated, anonymous usage data shared by customers compiled during the three-month period ending June 30, 2016, unsurprisingly finds that both enterprise and government continue to fall drastically short when it comes to protecting corporate data on mobile apps and devices, with less than 5% of companies using App Reputation or Mobile Threat Detection software, and only 8% of them enforcing OS updates, even while mobile threats in general are on the rise.
“The velocity of mobile attacks is increasing but the latest data shows that enterprises are still not doing the things they could be to protect themselves,” said MobileIron Lead Architect James Plouffe. “This lack of security hygiene demonstrates that enterprises are alarmingly complacent, even when many solutions are readily available.”
The share of iOS devices increased from 78% in Q4 2015 to 81% in Q4 2016, with Android device use remaining flat at 18%.
Of the three OS updates released by both Apple and Google this past quarter, only 8% of companies enforced those updates.
The lack of action by enterprise in investing in Mobile Threat Detection software also means, among other things, that hackers can simply recycle old attack habits, including their use of SideStepper’s Man-In-The-Middle (MitM) against MDM, and exploiting the same old, unpatched vulnerabilities, rather than innovating themselves by developing new techniques.
The report lists five mobile attacks that have either emerged or gotten worse in the last six months:
- Android GMBot: This spyware remotely controls infected devices in order to trick victims into providing their bank credentials.
- AceDeceiver iOS malware: This malware is designed to steal a person’s Apple ID.
- SideStepper iOS “vulnerability”: This technique was discovered to intercept and manipulate traffic between an MDM server and a managed device.
- High-severity OpenSSL issues: These vulnerabilities can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion.
- Marcher Android malware: This malware has evolved to mimic bank web pages that trick users into entering their login information through e-commerce web sites.
Even when they’re not simply hacking old vulnerabilities, hackers are constantly dreaming up new ways of attacking mobile enterprise apps, a pie that only becomes larger along with the increasing popularity of Bring Your Own Device (BYOD) trends in workplaces, resulting in compromised business and personal data.
On top of enumerating threats and outlining complacent enterprise habits, MobileIron’s report also lets us know that 40% of companies have devices missing, up from 33% in Q4 2015, and that 27% of companies had out-of-date policies, up from 20% in Q4 2015.
Almost as alarming as slack security practices in IT departments is the fact that 26% of respondents said that an EMM tool was removed from one or more of their devices, most likely the result of an employee upgrading their device or doing a factory reset, a figure which was only 5% in Q4 2015.
The report details the most common mobile threats and blacklisted apps, as well as emerging threats and risks, from enterprise compliance failures to compromised devices and data loss risks.
The most common unmanaged apps blacklisted by employers for installation on mobile devices are Dropbox, Facebook, Angry Birds and Skype, among others.
The most popular third-party apps aimed at enterprise deployed on mobile devices are: 1) PocketCloud Remote Desktop 2) Salesforce 3) Breezy 4) Cisco Webex and 5) Box.
Seven countries were surveyed for the MobileIron report, the U.S., United Kingdom, France, Spain, Germany, Belgium and Japan, with the U.K. and Japan performing best in terms of companies with compromised devices at 4%, compared to the global average of 9%.
Belgium and France, at 12%, were the worst performers on that front.
30% of U.S. companies reported having unmanaged devices while U.K. companies reported 17%.
Is there any good news? Only if private enterprise compares itself to government, where the IT mismanagement and resource allocation gap really opens up.
Where the global average of enterprises reporting at least one non-compliant device is 53%, that number rises to 61% for government.
Where the global average of enterprises reporting missing devices is 40%, that number rises to 48% for government.
And while the global average of enterprises reporting devices operating under outdated policies is 27%, the same number rises to 34% for government organizations.
Part of that gap is explicable by the fact that government organizations have much more stringent security requirements for device and IT management, not to mention more rigorous approval processes.
All the same, it’s not much of a silver lining.