Q&A: The mobile threat landscape

1.What is the Mobile Security and Risk Review?

The Mobile Security and Risk Review from MobileIron is a quarterly publication that outlines the threats facing enterprises across the globe when it comes to their mobile devices, combining data from various regions to identify threats and trends.

For the first time, the report is also comparing the performance of enterprises and governments from different countries, looking at how they are approaching common issues such as policy updates, compliance and which apps are restricted.

2.What threats have increased over the last quarter?

The biggest threats we have seen to mobile security are not necessarily viruses or malware but the actions of employees.

The three major issues that have risen in the past quarter are devices with out-of-date policies, devices that are missing or on which the EMM controls have been disabled.

While viral and malware threats have yet to result in a major enterprise breach, they continue to increase in both variety and level of sophistication. Most recently, we have seen the AceDeceiver iOS malware, which can abuse flaws in Apple DRM to re-install itself even though the infected apps have been removed from the App Store, and the Godless Android Malware, which includes exploits that could potentially allow this malware to “root” devices over the air.

While not just applicable to mobile, recent high-severity OpenSSL issues also pose a significant risk. Because OpenSSL is an open source component used by many developers, these vulnerabilities could potentially impact a large number of applications and services and the nature of the vulnerabilities is such that, if left unpatched, traffic could be decrypted.

3.What threats have decreased?

Instances of both compromised devices and devices where the PIN was removed have reduced. This is good news for enterprises across the globe as it demonstrates that employees are wising up to security policy on their mobile devices and recognising its importance.

While it has reduced from 10 per cent in Q4 2015 to 9 per cent in Q2 2016, compromised devices, in particular, are still a very serious threat for an organisation. Also known as being jailbroken or rooted, it means that the security of the OS has been bypassed and can give the user privileges to remove restrictions – essentially, giving them the keys to the city.

Continuing education for employees and centrally enforcing security policies on mobile devices will be key to seeing this downward trend progress.

4.Have any remained at the same level?

There have been some threats that have continued at the same level from 2015 and into 2016.

Out of compliance devices have remained flat, with more than 50 per cent of companies having at least one device out of compliance in Q2 2016, making them very vulnerable to be compromised or attacked.

Also unchanged from 2015 is that only 8 per cent of companies are enforcing updates. The major OS vendors are taking security seriously, each delivering three OS updates in Q2. These updates include patches for several critical vulnerabilities but if IT is not requiring these updates to be applied, they remain at risk for having the vulnerabilities exploited. Not requiring OS updates is essentially choosing to leave security gaps unaddressed.

Lastly, the take-up of app reputation and/or mobile threat detection has remained low – less than 5 per cent of companies have deployed such software across their EMM platforms.

These tools are great at helping companies gain greater visibility into the behaviour of applications, defend against malware and create profiles that define acceptable and unacceptable characteristics of apps.

5.Which apps are most likely to be blacklisted by companies?

There has been some change to the most blacklisted apps from Q4 2015 to Q2 2016. Line and Evernote have made their debuts at numbers five and ten respectively, while Facebook has moved up to second place and Skype has risen five places from ninth to fourth.

Interestingly, OneDrive has dropped from fourth to seventh, with Google Drive making a similar transition from fifth to eighth, perhaps reflecting their take-up in businesses. Dropbox, meanwhile, remained at the top, most likely due to the security issues the password-only protected cloud storage provider presents to enterprises.

What is very interesting from this list is how it demonstrates the tension between IT and employees – the workforce wants to use the consumer apps they know and love at work, while IT is thinking about the security risks these can pose.

6.How do governments compare to businesses?

Naturally, governments have the most stringent IT security requirements given that they deal with the most sensitive data.

However, the constantly changing pace of mobile technologies has caught up with them and there are some serious issues faced by governments across the world that need to be dealt with. In all cases, this has led them to fall behind enterprises.

Government organisations that have at least one non-compliant device are 8 per cent higher when compared to the average of 53 per cent for enterprises. The same is true for missing devices, with governments at 48 per cent compared to 40 per cent of businesses.

There is also significant disparity when it comes to out-of-date policies, 34 per cent compared to the global average of 27 per cent. However, there is only a slight difference in users deleting the EMM app, which is only 1 per cent higher than enterprises at 28 per cent.

7.How do the UK enterprises compare to the rest of the world when it comes to mobile security?

On average for this quarter, UK enterprises have actually outperformed many other countries.

In particular, UK workers are least likely to have removed the EMM profile from their device – only 17 per cent have done so, with the worldwide average being 26 per cent. The same is true for compromised devices, with the UK at 4 per cent against an average of 9 per cent, and also with devices out of compliance, where the UK is 11 per cent below the global average of 50 per cent.

However, when it comes to missing devices, the UK is towards the top end of the spectrum with 30 per cent compared to the global average of 40 per cent and also 21 per cent using old policies compared to 27 per cent.

8.What recommendations are available for businesses to protect themselves from mobile threats?

Of course, the question of how to protect comes down to how much it is going to cost – and protection will always seem expensive at first. But when compared to the cost of a breach or an attack, prevention is definitely better than cure.

The first step is to protect all IT assets. Enterprises only typically manage a fraction of mobile devices through EMM, and every unmanaged device is an opportunity for a user to make a mistake or as a target for an attacker. It is IT’s responsibility to ensure mobile security controls are deployed on every device used to access corporate data.

Secondly – enforce security. In BYOD deployments, ensure that IT can control access to enterprise resources from personal devices (e.g. by blocking access for devices that do not comply with corporate policies or that have had EMM controls removed). For corporate-liable deployments, the rights to delete EMM off a device should not rest with users as this is IT’s territory. Using the Apple Device Enrolment Program (DEP), Samsung KNOX, or Android for Work Device Owner, are options to ensure that IT remains in control of mobile devices that belong to the enterprise.

Through EMM, all the tools to protect corporate data on mobile devices are already there, IT just needs to implement them.