Enterprises Complacent in the Face of Rising Mobile Threats

Mobileiron

Evernote and Line Among Most Blacklisted Apps

MobileironMountain View, Calif., August 2, 2016 – Enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices, according to the Mobile Security and Risk Review, released today by MobileIron (NASDAQ:MOBL). Mobile threats are on the rise but only 8% of companies are enforcing OS updates and less than 5% are using App Reputation or Mobile Threat Detection software.

 

The second edition of the Mobile Security and Risk Review updates Q4 2015 data and discusses an emerging set of threats and risks, including enterprise compliance failures, compromised devices, and data loss risks.  For the first time, the review also identifies enterprise security trends on a geographic regional basis and for the government vertical.

 

Download the Mobile Security and Risk Review for Q2 2016 here: www.mobileiron.com/securityandriskreview.

 

“The velocity of mobile attacks is increasing but the latest data shows that enterprises are still not doing the things they could be to protect themselves,” said James Plouffe, Lead Architect, MobileIron. “This lack of security hygiene demonstrates that enterprises are alarmingly complacent, even when many solutions are readily available.”
Mobile Attacks on the Rise

The report outlines several new mobile attacks which have emerged that threaten enterprises. Most are simply re-using old tactics against mobile-specific services, such as SideStepper’s use of Man-In-the-Middle (MITM) against MDM, rather than employing new techniques or exploiting new vulnerabilities. However, when attacks against users are successful, they can result in the loss of both personal and business data.

 

The following mobile attacks either emerged or worsened in the last six months:

  • Android GMBot: This spyware remotely controls infected devices in order to trick victims into providing their bank credentials.
  • AceDeceiver iOS malware: This malware is designed to steal a person’s Apple ID.
  • SideStepper iOS “vulnerability”: This technique was discovered to intercept and manipulate traffic between an MDM server and a managed device.
  • High-severity OpenSSL issues: These vulnerabilities can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion.
  • Marcher Android malware: This malware has evolved to mimic bank web pages that trick users into entering their login information through e-commerce web sites.

 

Mobile security practices largely unchanged in the face of new threats

Security incidents are often the precursor to a breach because they leave a device or app vulnerable and that can put enterprise data at risk. This quarter saw a number of trends in employee compliance incidents and enterprise security practices, including:

  • Missing devices: 40% of companies had missing devices, up from 33% in Q4 2015.
  • Out-of-date policies: 27% of companies had out-of-date policies, up from 20% in Q4 2015.
  • Enforcing OS updates: 8% of companies were enforcing OS updates, which was comparable to Q4 2015.
  • App reputation software: Less than 5% of companies deployed app reputation software, which was comparable to Q4 2015.

 

For the full list of trends, go to: www.mobileiron.com/securityandriskreview.

 

Evernote and Line among most blacklisted consumer apps

The top 10 consumer unmanaged apps most often blacklisted by enterprises changed from Q4 2015 to Q2 2016. New entrants to the top 10 list include Line and Evernote. The top 10 consumer unmanaged apps most often blacklisted in Q2 2016 include:

 

  • Dropbox
  • Facebook
  • Angry Birds
  • Skype
  • Line
  • Box
  • OneDrive
  • Google Drive
  • Twitter
  • Evernote

 

“When an unmanaged app that can potentially access corporate data or bypass corporate security measures achieves broad consumer adoption, IT departments look to blacklist it because they can’t protect corporate data in an app they don’t manage,” said Plouffe.

 

Top third party apps (i.e., managed apps) that were most often deployed by enterprises also changed since MobileIron last reported them. New entrants include Accellion, Acronis Access, Breezy, PocketCloud and Roambi Analytics. Goodreader, Google Docs, Microsoft Office Suite, Skype for Business, and Xora Mobile Worker dropped off the top 10 list.

 

Top third party apps that were most often deployed by enterprises in Q2 2016 included:

 

  • PocketCloud Remote Desktop
  • Salesforce
  • Breezy
  • Cisco Webex
  • Box
  • Cisco AnyConnect
  • Accellion
  • Acronis Access
  • Roambi Analytics
  • Evernote

Government organizations struggle to keep pace

Government organizations are known for having some of the most stringent security requirements. Paradoxically, extensive approval processes make it difficult for these organizations to keep pace with change, which can make them more vulnerable.

 

Globally, Government organizations are less prepared to deal with security incidents than the global average.

  • 61% of Government organizations have at least one non-compliant device, compared with the global average of 53%.
  • 48% of Government organizations have missing devices, compared to the global average of 40%.
  • 34% of Government organizations had devices operating under outdated policies, compared to the global average of 27%.

 

iOS Remains Dominant in the Enterprise

The share of iOS devices grew from 78% in Q4 2015 to 81% in Q2 2016. The share of Android devices remained flat at 18% during this timeframe.

 

About the Mobile Security and Risk Review

The second edition of the Mobile Security and Risk Review is based on aggregated, anonymous usage data shared by customers that was compiled from April 1, 2016 through June 30, 2016.

 

About MobileIron

MobileIron provides the secure foundation for companies around the world to transform into Mobile First organizations. For more information, please visit www.mobileiron.com.