One in ten enterprises have at least one compromised device
MobileIron “State of App Security” data also reveals list of top blacklisted consumer apps
As employees choose smartphones and tablets to do work, mobile apps become critical business tools. With recent mobile attacks such as XcodeGhost, Stagefright, Key Raider, and YiSpecter, an unprecedented amount of mobile business data has been put at risk. MobileIron today released new statistics on the “State of App Security,” including insights about how companies are using and protecting mobile apps.
“As more business processes are mobilised, hackers look to mobile apps to capitalise on enterprises’ inability to prevent and detect mobile threats,” said Mike Raggo, Director of Security Research at MobileIron.
“To protect sensitive data against the threats of tomorrow, enterprises need to rethink their security approach for a fundamentally different mobile architecture.”
• Read the white paper to learn more about how enterprises can combat mobile threats.
• Register here to join MobileIron for a webinar on November 4 at 18:00PM GMT.
Apps are gaining ground
The transformative power of mobility can only be realised by mobilising core business processes. Rich ecosystems of third-party apps provide enterprises with powerful mobile tools that work out of the box.
The top third-party apps that are currently deployable across MobileIron’s customer base include:
- Microsoft Office Suite
- Cisco AnyConnect
- Cisco Webex
- Skype for Business
- Google Docs
- Xora Mobile Worker
MobileIron customers have also deployed more than 300,000 apps that were built in-house for employee use.
Top blacklisted consumer apps
Employees may store corporate documents on personal Enterprise File Sync and Sharing (EFSS) apps, putting sensitive corporate data outside of IT’s protection. Five of the top ten consumer apps that are blacklisted by MobileIron customers are EFSS apps.
- Dropbox (EFSS)
- Angry Birds
- OneDrive (EFSS)
- Google Drive (EFSS)
- Box (EFSS)
- SugarSync (EFSS)
“Consumer versions of EFSS apps frighten IT departments because corporate data can wander away. Fortunately, enterprise versions of many of these apps are available,” said Raggo. “Enterprises can give their employees the experience they want while protecting corporate data, but it requires a mindset shift from one of restriction to one of enablement.”
Mobile apps are at risk
As the future of work evolves toward mobility, so will the future of data breaches and cybercrime. Recent attacks targeted mobile apps and operating systems to exfiltrate sensitive data, and many enterprises were unprepared. For example, iOS apps that are infected with XcodeGhost malware can collect information about devices and then encrypt and upload that data to servers run by attackers. Malware detection company FireEye identified more than 4,000 infected apps on the App Store and mobile app risk management company Appthority found that almost every organisation with at least 100 iOS devices had at least one infected device.
The challenge with mobile devices and apps is that the user — and not the IT administrator — is generally in control. Devices fall out of compliance for a variety of reasons. For example, a device will fall out of compliance if the user jailbreaks or roots their device, if the device is running an old version of the operating system that IT is no longer supporting, or if the user installed an app that IT has blacklisted. MobileIron has found that:
- One in 10 enterprises has at least one compromised device accessing enterprise data.
- More than 53 percent of enterprises have at least one device that is not in compliance with corporate security policies.
In these scenarios, traditional security technologies can’t take the necessary actions to protect corporate data, but MobileIron can. When a device falls out of compliance, MobileIron automatically takes actions to protect corporate information, such as sending an alert to the user, blocking the device and apps from accessing corporate resources, or even wiping all corporate email and apps.
“Today’s organisations have far too many disparate security technologies that are rarely fully integrated with each other. Even when integrated, they rarely include information about mobile devices and apps,” Raggo continued.
“The good news for companies using an enterprise mobility management solution is that they have the information they need about the state of mobile devices and apps to protect corporate information.”
Top reasons devices fall out of compliance
Businesses that use enterprise mobility management (EMM) solutions like MobileIron can set policies to ensure that the right employees have the right mobile access from the right device. If IT administrators don’t automate the quarantining of devices when they fall out of compliance, corporate data can be put at risk.
These are the top reasons that devices fell out of compliance with corporate policies:
- Device is out of contact with the EMM platform
- Administration has been deactivated so that the EMM solution can no longer take remote action on a device
- Device is not in compliance with rules that either block, require, or allow a particular app
Time to rethink mobile security
With cyber attackers using mobile malware to steal sensitive corporate data, enterprises should consider data loss protection solutions as part of their security strategies. Even one compromised device can make businesses vulnerable to costly attacks.
“Companies that rely on legacy security technologies without a presence on a mobile device or those that only use ActiveSync to manage mobile devices are very vulnerable to breach,” said Raggo.
“Companies using an EMM solution can rely on several proactive and reactive countermeasures, including the ability to detect risky apps and behaviors, quarantine devices, and perform selective wipes, among others.”