More than 50% of organizations have at least one non-compliant device at any given time, according to new research by MobileIron Security Labs.
Its report ‘Q4 Mobile Security and Risk Review’ explores the current state of mobile security highlighting the set of threats and risks that companies are facing – particularly compliance failures, compromised devices, and data loss risks.
Findings suggest that enterprises are using outdated security methods to tackle new mobile threats, with companies failing to address the challenges brought forward by the emergence of more cloud-based services.
PC era security approaches such as blacklisting underestimate new mobile threats and are not scalable to the vast numbers of mobile apps used today, leaving companies vulnerable to attack.
In a statement to Infosecurity Gert-Jan Schenk, VP of EMEA, Lookout, urged companies to avoid playing a dangerous game of ‘catch-up’ by using yesterday’s technologies to secure today’s connected devices.
“The reality is that the existing security model is broken and not designed for today’s world where cloud access and mobility are requirements. The irony is that everybody knows it, but they are stuck. Vendors, CEOs, IT, Security. Nobody trusts the current security model any more than the billions of people reading headlines about the latest breach.
“The danger is very simple; organizations relying on old world techniques like traditional antivirus make their corporate data vulnerable.”
Despite mobile malware risks increasing throughout 2015, more than 95% of enterprises have no protection in place to counteract them. Schenk believes this is because the risks of mobile-based attacks are not currently being brought to the fore.
He said:
“Today, we’re just not hearing about these as much for a few reasons. If customer data isn't touched in a breach, businesses won't announce it, because due to regulatory issues, they don't have to. Mobile breaches are happening; they just aren't being reported either because companies have no visibility into these threats as they occur or because reporting isn't enforced. As the attacks start to target customer data, we'll see more of these reported.”
Compromised devices were also noted as significant risks, with one in 10 enterprises having at least one – this increased by 42% during the period of the study.
Traditionally, a device is considered to be compromised if it is jailbroken/rooted, but MobileIron Security Labs suggest monitoring them is more complex than that. Variants of jailbreaking and anti-detection tools can disguise jailbroken devices, creating a false sense of security.
Schenk said companies need to take a proactive stance on security to reduce their mobile risk, implementing strategies such as carrying out periodic risk assessments to gain a truer understanding of their mobile threats and performing penetration tests to validate where there are remaining holes.
“Security is a continuously moving target, not something that can be solved once and for all.” He argued. “At a baseline, all accounts should be locked down with multi-factor authentication, mobile endpoints should run next-generation security software that is continuously monitored for signs of compromise, and all servers and hardware should be hardened via continuous patches.
“It's critical that businesses gain visibility into the threats that are currently compromising their networks and roll out protection. Consider the repercussions: mobile devices serve as an entry point to access other enterprise systems where sensitive data is stored.”