The use of mobile apps for business is heating up with 79% of companies using more than 10 apps for business, according to the third edition of the Mobile Security and Risk Review.
Nearly one in five organisations (18%) use a volume purchase program (VPP) to streamline enterprise app deployment to users.
The rate is significantly higher in the healthcare (29%) and government (25%) verticals. 13% of organisations use a device enrolment program (DEP), which offers more control over corporate mobile fleets.
With DEP, enterprises can enforce tighter restrictions on corporate-owned, supervised devices. Nearly one-quarter (22%) of healthcare organisations use DEP.
The most popular business apps in the worldFor the first time, the Mobile Security and Risk Review includes a list of the most popular managed mobile business apps. The top ten most popular managed mobile business apps in the world include:
- Adobe Acrobat
- Pulse Secure
- Google Maps
“When a consumer app achieves broad consumer adoption, IT departments sometimes choose to block it because it can potentially access corporate data. IT can’t protect corporate data in apps they don’t manage,” said James Plouffe, lead security architect, MobileIron.
Mobile malware grows up
The end of 2016 was plagued with high-profile vulnerabilities and new malware families that were not present in the second edition of the Mobile Security and Risk Review.
The severity and sophistication of these attacks increased to unprecedented levels. Notable examples include:
- HummingBad Malware: infected 85 million devices.
- Pegasus: capable of intercepting virtually all communications.
- QuadRooter: detected on an estimated 900 million devices.
- The Godless Malware: infected 850,000 devices.
The state of mobile enterprise security
While mobile malware sophistication is on the rise, enterprises did little to improve mobile security best practices, even in highly regulated industries.
As part of enterprise policy enforcement, nearly half of companies (45%) did not enforce device policies.
At the same time, 29% of companies had at least one outdated policy, while 44% of companies had at least one missing device.
Out-of-date policies happen when the mobile IT administrator has changed a policy on the console but that change has not been propagated to all of the devices being managed. This is usually a result of user behaviour.
The percentage of companies with at least one missing device rose from 40% to 44% worldwide. This can be attributed in part to the global enterprise expansion of mobility and the greater number of mobile devices under corporate management, but the implications are extremely serious.
When an enterprise device is lost or stolen, the company risks losing much more than just the cost of the hardware. If enterprise data, such as personal employee or customer data, company financials, or other confidential information, falls into the wrong hands, the organisation can face tremendous legal, monetary, and reputation costs.
Alarmingly, and one of the biggest causes of security vulnerability, just 9% of companies enforced OS updates.
OS vendors know that hackers have mobile devices and apps in their crosshairs. These threats continue to evolve rapidly, so vendors are working harder to deliver security patches in the form of OS updates to protect users and data from the latest attacks.
Of course, in order to be effective, these updates must be installed. 2016 did see a positive trend in this direction because the number of organisations enforcing OS updates increased from 7.5% to 9%.
Enforcing OS updates is one of the easiest and most cost-effective ways to prevent attacks from exploiting holes in older operating systems.
In turn, 11% of companies had compromised devices accessing corporate data.
Users are always looking to get the apps and contents they want in order to do their job — even if it sometimes means circumventing security controls.
Ensuring device compliance is the most important security precaution IT organisations can take. With the right EMM solution, IT can prevent compromised or noncompliant devices from accessing corporate resources until the issue is resolved.
“Mobile security is still a new competency for many organisations and their internal security policies and processes are not keeping up with the technology,” said Plouffe.