Analysis: How can you build mobile updates into your BYOD policy?
All smartphone users are familiar with the update process: every so often, your device will get an update sent through which could change the user interface visually or alter the controls.
What a lot of people aren’t aware of is how what seems to be an aesthetic change to the device often contains patches that will clean up security vulnerabilities in the software.
This is all well and good in the consumer world; it’s up to people how secure they want their device to be and it is their responsibility to ensure that it is kept secure. If they don’t accept the update, it’s their problem.
However, in the occasionally murky world where consumer and enterprise mobile intersect, the issues of responsibility are less defined.
Especially in a Bring Your Own Device (BYOD) environment, an employee may choose not to install a vital update that deals with an essential vulnerability. If this employee then uses this mobile device to access vital corporate information, the business has been exposed to a risk that it could not directly have mitigated.
This comes in the wake of recent research showing how lax employees actually are in updating their devices.
Access security provider Duo Security analysed data from its installed base of over 1 million mobile devices and found that over 90 percent of Android devices were running out-of-date versions of the operating system.
32 percent of devices in use were running version 4.0 or older, meaning that they were vulnerable to the well-publicised vulnerability from last year, Stagefright.
Only 6 percent of Android devices were running the latest version of the operating system and only 20 percent of iOS devices.
This is not just specific to operating systems. Duo Labs found that 32 percent of employees were using outdated versions of Internet Explorer, which has had 160 new vulnerabilities discovered in the last three years, and 22 percent of devices had outdated version of Java, with over 250 known vulnerabilities.
As HPE’s Cyber Risk Report 2016 explains: "While vendors continue to produce security remediations, it does little good if they are not installed by the end user.
"Applying patches in an enterprise is not trivial and can be costly – especially when other problems occur as a result."
As with most things security-related, Apple devices have something of an advantage in this regard.
Wolfgang Kandek, CTO at Qualys says that the user experience and approach of Apple has "helped everyday users get more familiar and comfortable with running their own updates over time."
Added to this, Apple exercises direct control over updates for all Apple devices, which due to the fragmentation of Android devices has not been replicable.
There are signs that Android device vendors are moving to try and establish tighter controls over security updates, which until now has been a matter of split responsibility between handset vendors and service operators. Samsung, for example, has taken steps to centralise control by issuing monthly updates.
An obvious solution to the conundrum facing enterprises is to invest in a "corporate-owned, personally enabled" model – to buy devices in bulk to issue to the workforce and retain control over updates centrally within the organisation. This removes the problem of potentially recalcitrant updaters.
This means sacrificing the benefits of BYOD, however, including its inexpensiveness and the freedom it offers to employees.
More authoritarian employers might be tempted to try and impose a security policy on its workers, and simply order them to keep their device updated. But this is unenforceable, probably ineffective, and bound to stir resentment. You could cut your odds by banning certain types of device, but this causes some of the same problems.
So what is the solution? Security professionals seem to be agreed that a good first step is actually knowing what devices are accessing your network.
"Visibility is key to protection," says Gert-Jan Schenk, VP of EMEA at Lookout. "An organisation needs to have visibility into which devices it’s running on its network as well as which OS they’re running, which apps they’re running, which versions of those apps and so on."
Duo Technologies takes this to its natural conclusion; its new solution can detect whether a device is updated and then block people who haven’t updated from accessing key apps.
baramundi provides a dedicated dashboard that allows IT orchestrators to automatically inventories devices, define security rules and keep compliance in check.
Another possibility is a containerisation solution, which will segment corporate apps and can be configured to whatever security controls are necessary.
Todd Carothers, Executive Vice President of Marketing and Products, at CounterPath, explains:
"This means content restricts such as copy and paste can be limited by IT as well as other important regulatory supportive restrictions."
The update problem is not simply down to enterprise IT to solve. The mobile industry as a whole, including device vendors, will also need to rethink their approach to updates in coming years, as it is not clear whether the record number of patches issued in 2015 is sustainable.
However, there is plenty that enterprises can do in the meantime to ensure that device updates or the lack thereof are not a security weak point.