One in ten companies ‘have compromised devices’

One in ten enterprises have at least one compromised mobile device on their networks, according to a new study, which found that the number of companies with suspect systems grew by 42 percent during the fourth quarter of last year.

The Q4 2015 Mobile Security and Risk Review, based on customer data from corporate mobile management firm MobileIron, also found that attackers are growing more sophisticated in making compromised hardware harder to spot.

The findings highlight the increasingly complex problem of managing corporate devices, which have proven an effective way to penetrate a company’s network.

“A single compromised device can introduce malware into the corporate network or enable the theft of sensitive corporate data that resides behind the firewall,” said MobileIron Security Labs director Michael Raggo.

“Whether a company loses millions of records or just one record it’s still a breach. For all companies, but particularly ones in highly regulated industries, this is a huge problem.”

MobileIron said its study considers jailbroken or rooted devices – which are easier for attackers to take control of – as compromised. The firm said it had uncovered numerous variants of anti-detection tools that hide the fact that a device is compromised, creating a “false sense of security”.

The study also found that more than half of enterprises have at least one non-compliant device, including devices with PIN protection disabled, lost devices or devices that lack up-to-date policies.

“Non-compliant devices create a broader attack surface for malware, exploits and data theft,” MobileIron stated.

Twenty-two percent of enterprises had users who had disabled PIN access, MobileIron said.

Other findings included that less than 10 percent of companies enforce device patching, creating security risks, while more than 95 percent of companies had no protection against mobile malware.

Security researchers have said attackers are increasingly taking advantage of the relative lack of security protections on mobile devices to take over the units and use them to gain access to corporate networks.

Earlier this month researchers discovered Android malware that spreads via malicious advertisements found on websites, including pornographic sites, and seeks to take complete control of a targeted device. The “HummingBad” malware was found on the devices of two employees at a major financial services institution, according to IT security firm Check Point.

Researchers have also highlighted that because mobile devices aren’t patched as regularly as full-blown computers, they are relatively easy to attack using known vulnerabilities.