MobileIron release Mobile Security and Risk Review – Third Edition
Welcome to the third edition of the Mobile Security and Risk Review. This bi-annual review provides IT security leaders with timely information about the mobile threat landscape and the emerging risks facing their organisations.
The Mobile Threat Landscape
New Threats and Trends
Almost immediately after we published the second edition of this report, high profile vulnerabilities and new malware families began appearing. The Godless malware, identified in late June 2016, managed to infect an estimated 850,000 devices. Initially discovered in February 2016, Hummingbad was more widely analyzed in July, and it appears it was created by Yingmob, the group behind the YiSpectre iOS malware that made headlines last year. Hummingbad succeeded in infecting nearly 85,000,000 devices. The apparent goal of both malware families was to drive fraudulent ad revenue. However, what is more notable — and sinister — is that they contained exploits that attempt to “root” devices over the air without the user’s knowledge, thus giving attackers full control of an infected device.
The State of Mobile Enterprise Security
IT organizations spend time and resources to configure mobile security policies, but they are not always consistently enforced. In the latter part of 2016, nearly half of companies did not enforce device policies, a figure which was consistent with Q2. Germany had the highest percentage of companies enforcing security policies (66%) while the UK had the lowest (42%). Regulated industries enforced policies (64%-66%) at a rate well above the global average of 55%. Spain saw the largest increase with the number of companies enforcing policies jumping to 48% from 40%.
Nearly 30% of companies have at least one outdated policy, a trend that has not changed since the previous report. Out-of-date policies happen when the mobile IT administrator has changed a policy on the console but that change has not been propagated to all of the devices being managed. This is usually a result of user behaviour. For example, users may have a device that they use infrequently or receive a new device and stop using their old device, resulting in scenarios where a device either connects infrequently or “fades away,” preventing it from receiving updates. Most regions saw an increase in the percentage of companies with outdated policies, although Japan and the Netherlands experienced a decrease. Spain and Japan had the fewest organizations with outdated policies (both at 22%), while companies in Belgium had the most, at 36%. In fact, Belgium jumped from 23% in Q2 to 36% in Q4. The three industries had higher rates of out-of-date policies than most individual regions.