Duo Security yesterday released the results of a study into the use of mobile devices on corporate networks with the company’s key finding being that unpatched and end-of-life devices are far more prevalent in the workplace than many had previously thought.
Based on data pulled from thousands of customer deployments across the globe, Duo Security made some startling discoveries, primarily concerning the iOS platform, but also surrounding the use of Android devices too.
Where the former is concerned, the company discovered that around 50% of Apple iPhones used in the corporate arena were running on outdated versions of iOS, with many still on version 8.3 which was released in April 2015, and others on even earlier versions.
Even the recent release of iOS 8.4.1 was insufficient to prompt many users to upgrade – five days after the new update became available, only nine percent of phones had been through the update process.
Even more concerning, Duo Security found that 31% of iPhones were still rocking either iOS 8.2 or an even earlier version of the operating system, meaning they were missing out on a whole slew of security patches designed to mitigate the risk of a Masque Attack, Quicksand, Insomnia or over 160 other known critical vulnerabilities.
The company also suggests there may be as many as 20 million outdated iPhones – that cannot receive the latest operating system updates – still in use in industry circles, leaving the owners of those devices open to even more vulnerabilities that have long since been patched out.
As far as Android devices are concerned, risks are evident there too, though the picture doesn’t appear to be as severe as with Apple phones. Duo Security suggests that around 10% of Google-powered devices are still susceptible to the Stagefright vulnerability due to running on older versions of the operating system.
Dug Song, CEO and co-founder of Duo Security, said:
Most companies today would never allow unpatched personal computers on their networks. Yet there is a double standard when it comes to mobile devices. Personal mobile devices are now de facto corporate devices. So companies need to review their policies on software patching and updates to reflect this new world of bring your own device (BYOD) to work. Companies can secure their networks with two-factor authentication and a wide variety of other security solutions, but unpatched devices still create significant risk for enterprise IT departments and network security.
Is your business heeding Song’s advice? Do you even have a BYOD policy at work and are you even aware of how your employees are interacting between your own network and their devices?
If you don’t, now is the time to change that because you don’t want to be one of those companies that becomes complacent about the risks posed by BYOD.