As the future of work evolves toward mobility, so will the future of data breaches and cybercrime. Recent attacks targeted mobile apps and operating systems to exfiltrate sensitive data, and many enterprises were unprepared. For example, iOS apps that are infected with XcodeGhost malware can collect information about devices and then encrypt and upload that data to servers run by attackers.
FireEye identified more than 4,000 infected apps on the App Store and mobile app risk management company Appthority found that almost every organization with at least 100 iOS devices had at least one infected device.
“As more business processes are mobilized, hackers look to mobile apps to capitalize on enterprises’ inability to prevent and detect mobile threats,” said Mike Raggo, Director of Security Research at MobileIron. “To protect sensitive data against the threats of tomorrow, enterprises need to rethink their security approach for a fundamentally different mobile architecture.”
The transformative power of mobility can only be realized by mobilizing core business processes. Rich ecosystems of third-party apps provide enterprises with powerful mobile tools that work out of the box.
The challenge with mobile devices and apps is that the user — and not the IT administrator — is generally in control. Devices fall out of compliance for a variety of reasons. For example, a device will fall out of compliance if the user jailbreaks or roots their device, if the device is running an old version of the operating system that IT is no longer supporting, or if the user installed an app that IT has blacklisted. MobileIron has found that:
- One in 10 enterprises has at least one compromised device accessing enterprise data.
- More than 53% of enterprises have at least one device that is not in compliance with corporate security policies.
“Today’s organizations have far too many disparate security technologies that are rarely fully integrated with each other. Even when integrated, they rarely include information about mobile devices and apps,” Raggo continued. “The good news for companies using an enterprise mobility management solution is that they have the information they need about the state of mobile devices and apps to protect corporate information.”
Employees may store corporate documents on personal Enterprise File Sync and Sharing (EFSS) apps, putting sensitive corporate data outside of IT’s protection. Five of the top ten consumer apps that are blacklisted by MobileIron customers are EFSS apps.
- Dropbox (EFSS)
- Angry Birds
- OneDrive (EFSS)
- Google Drive (EFSS)
- Box (EFSS)
- SugarSync (EFSS).
“Consumer versions of EFSS apps frighten IT departments because corporate data can wander away. Fortunately, enterprise versions of many of these apps are available,” said Raggo. “Enterprises can give their employees the experience they want while protecting corporate data, but it requires a mindset shift from one of restriction to one of enablement.”