I was recently involved in developing a new e-guide, “Curing the Cause of Common Mobilephobia,” which focuses on the most common fears CISOs and organizations contemplate when they consider deploying a mobile security strategy.
As I researched these fears, I came across some interesting facts and statistics. What I tend to find with data is that the more I look and think about a stat, the more interesting angles I find within the data point. This happened when I started delving into the challenges of deploying a mobile security strategy and the need to manage a multi-OS bring-your-own-device (BYOD) environment, so I’ll share some of those thoughts with you here.
The Fear of Rogue Devices
For a security expert, there are few things scarier than losing control. After all, managing security is all about controlling and eliminating the variables in order to identify anomalies and reduce risk. To excel in a security role, you really have to be somewhat of a “control enthusiast,” and the nature of mobile and especially BYOD is such that the CISO loses some of that control.
BYOD means that the CISO no longer has a homogeneous environment with a complete inventory of devices and a nice clear view into each. End users are now in control of the device and make decisions about the make and model, what level of security to implement, what apps to install and even when or if they will install app patches or upgrade the operating system (OS). This leaves the CISO with the challenge of managing and securing a multiplatform and multi-OS environment, which is very different from how the CISO manages laptops and other remote devices.
With remote devices, the CISO deploys a standard hardware platform with a standard image and locks down that device. It can then be monitored remotely, with upgrades and changes pushed to it as needed. That is simply not the case with mobile devices.
What Do We Really Mean by Multi-OS?
This is where it gets interesting. In September, Apple released iOS 9 to the market. This was a highly anticipated launch, and end users couldn’t wait to get their hands on it. According to a press release from Apple, more than 50 percent of Apple devices had upgraded to the new OS in less than one week, which was the fastest rate of adoption for any release. The CISO suddenly had a significant number of devices accessing the enterprise with no idea what risks the new OS might introduce.
Less than two months later, the number of devices upgraded has grown to 66 percent, as measured by the devices accessing the Apple App Store. On the surface, that seems scary enough, but as I consumed that stat I came up with an interesting angle on this situation. While 50 percent, and now 66 percent, of the Apple devices in the market were suddenly running iOS 9, that means that the other 50 percent (now 34 percent) are running something else. The immediate thought is iOS 8, right? But that isn’t necessarily the case.
Many of those users that didn’t immediately upgrade to iOS 9 never upgraded to iOS 8, either — or, for that matter, any of the previous iOS iterations. When I looked at the Android platform I found a similar situation with adoption rates. The most recent Android report I could find was from before Android Marshmallow. It indicated that only about 23 percent of devices had been upgraded to Lollipop, with 38.9 percent running KitKat and 30.2 percent running Jelly Bean. Talk about a wide distribution of systems to support!
Embrace a Mobile Security Strategy That Eliminates Fear
Worrying about operating systems and mobile security strategies is not an irrational fear!
While a new OS represents its own challenges, the fact of the matter is that the CISO also has to worry about all previous versions of the system and the devices that have never been upgraded. These devices running older versions of the operating system may be even more dangerous than the newest upgrade since the older versions could have known security vulnerabilities.
Watch the on-demand webinar to Learn more about Surviving the Mobile Phenomenon
Market Segment Manager, Mobile Security, IBM