More than 90% of Android devices are running out-dated versions of the mobile operating systems, according to cloud-based access security provider Duo Security.
The finding – based on an analysis of the security firm’s installed base of more than one million mobile devices – paints a worrying picture of the state of mobile device security in the enterprise.
With the growing number of personal mobile devices in the workplace, Duo Security said IT professionals must be aware of the risks and how to remediate them quickly.
Analysis shows that 32% of Android devices in use in enterprises today are running version 4.0 or older of the operating system, leaving them highly susceptible to vulnerabilities such as Stagefright.
The Stagefright vulnerability allows an attacker to compromise an Android device via a multi-media (MMS) message such as a video or photo, potentially allowing an attacker access from the device to corporate networks.
The study also found that one in 20 of all Android devices used in enterprises are rooted, which gives users privileged control over various Android subsystems, leaving the devices vulnerable to numerous attacks.
Outdated iOS devices a threat to enterprise
A similar analysis of Apple iOS devices revealed that only 20% of iPhones run the latest Apple operating system version iOS 9.2, compared with just 6% of Android devices running the latest version 6.0 (known as Marshmallow).
Outdated iOS devices have well-known vulnerabilities such as Ins0mnia and Quicksand that make these devices susceptible to attacks.
Duo Security estimates more than 20 million mobile devices connected to enterprise networks are no longer supported by the device manufacturer. The devices therefore cannot be upgraded to the latest versions of the software, which would fix their vulnerabilities.
However, the security firm notes that there are many devices still on the market that cannot receive updates, meaning that even a new device may be a security concern for the enterprise.
Organisations need to educate users
While the findings of the study are concerning, Duo Security said that visibility and insight into the state of the devices accessing critical networks and applications is a powerful first step in securing the enterprise.
However, organisations are unlikely to be able to address this problem quickly if they leave mobile security entirely up to the IT department, without getting users to take some responsibility, said Henry Seddon, head of European operations at Duo Security.
“Users need educating, but organisations need to put in place systems that not only educate users, but can also encourage them and make it easy for them to upgrade to the latest versions of software,” he told Computer Weekly.
Failure to do this, he said, means systems will always tend to be out of date, which will open up organisations to malware and other forms of attack.
“It is up to everybody in the company to take responsibility for the company’s security and their own, and organisations need to provide the tools that stop them at key points, and encourage and enable them to follow best practice,” said Seddon.
Duo Security also recommended that IT professionals implement the following measures to reduce the risk of compromised mobile endpoints:
Establish basic mobile device security policies for the company and get buy-in from business managers.
Enable all employees to use passcodes and fingerprint screen locks to prevent trivial access to sensitive data on mobile phones.
Consider excluding phones that are jailbroken or rooted from access to corporate data and systems.
Provide helpful tips and reminders to users to check for updates on personal devices accessing company data.
Update or replace outdated hardware in use in the enterprise that may no longer be supported with security updates by the manufacturer.
Recommend that employees using Android devices consider Nexus handsets with more frequent and direct platform update support.
Address common update issues up front with guidance on problems related to updating mobile devices, such as providing tips on freeing space for updates.
Use free tools to detect devices with particularly concerning vulnerabilities.