MobileIron released its second edition of the Mobile Security and Risk Review 2016 today as a way to bring awareness to the challenges enterprises have with protecting their data on mobile apps and devices. The review also highlights the increase in mobile attacks and how enterprises are failing to take adequate measures to protect their organization.
MobileIron, an enterprise mobility-management company, highlighted emerging risks, what enterprises are doing to protect their data and devices, as well as what popular mobile enterprise apps and consumer apps are blacklisted.
According to lead architect at MobileIron James Plouffe, in the past six months alone, new mobile threats have emerged that should concern enterprise customers. MobileIron’s data showed that “enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices,” he said.
Also, the lack of security hygiene in the face of rising threats demonstrates that companies today are “complacent about mobile security,” said Plouffe.
Increase in mobile attacks
One key finding from the report is that mobile attacks are on the rise. Some of these threats include old tactics like SideStepper’s use of man-in-the-middle attacks against mobile device management, which are still effective in compromising personal and business data.
As a way to prevent mobile attacks, MobileIron suggested protecting all IT assets. Enterprises normally manage some of the mobile devices through enterprise mobility management (EMM), and each unmanaged device opens the door for attackers, the company said.
“It is IT’s responsibility to ensure mobile security controls are deployed on every device used to access corporate data,” said Plouffe.
Also, MobileIron recommended companies make sure that IT can control access to enterprise resources from personal devices.
“For corporate-liable deployments, the ability to remove EMM controls for a device should not rest with users, as this is IT’s territory,” said Plouffe. “Using the Apple Device Enrolment Program, Samsung Knox, or Android for Work Device Owner, are options to ensure that IT remains in control of mobile devices that belong to the enterprise.”
In general, most enterprises are still working on developing stronger mobile security awareness and enforcement, and Plouffe added that most enterprises that have EMM solutions already have the tools they need, “they just need to activate them.”
Government organizations struggle to keep pace
Another finding from this report is that government organizations seem to be falling short when it comes to security requirements. Because of the extensive approval processes, it’s challenging for these organizations to keep pace with change, which makes them more vulnerable to a variety of attacks.
According to the report, globally, government organizations are less prepared to deal with security incidents than the global average. The report also noted that 61% of government organizations have at least one non-compliant device, compared to the global average of 53%. Additionally, 34% of government organizations have devices operating under outdated policies, and 48% of government organizations have missing devices.
Part of the public sector lag comes from inadequate tooling and slow or outdated processes, wrote chief technical evangelist at MobileIron, Sean Frazier, in a blog post. Some government agencies aren’t using an EMM platform to manage their devices, which means they do not have a way to make it easier to update policies quickly and correctly, he wrote.
Other things to consider
The MobileIron report also found that there are trends in employee compliance incidents and enterprise security practices, like missing devices, out-of-date policies, enforcing operating system updates, and app reputation software. These incidents are often the cause of a security breach because they leave an app or device vulnerable to multiple attacks, according to the report.
As compared to the fourth quarter of 2015, MobileIron found that 40% of companies had missing devices, and 27% had out-of-date policies. This is compared to 2015, where 33% of companies had missing devices, and only 20% had out-of-date policies.
For every budget-conscious IT organization, the big question is always “How much will this cost?” said Plouffe. While trying to secure mobile data and devices seems expensive, he said the most cost-effective approach is to follow this: “An ounce of prevention is worth a pound of cure.”
The full Mobile Security and Risk Review for the second quarter of 2016 is available for IT teams and organizations here.