I was recently involved in developing a new e-guide, “Curing the Cause of Common Mobilephobia,” which focuses on the most common fears CISOs and organizations contemplate when they consider deploying a mobile security strategy.

As I researched these fears, I came across some interesting facts and statistics. What I tend to find with data is that the more I look and think about a stat, the more interesting angles I find within the data point. This happened when I started delving into the challenges of deploying a mobile security strategy and the need to manage a multi-OS bring-your-own-device (BYOD) environment, so I’ll share some of those thoughts with you here.

The Fear of Rogue Devices

For a security expert, there are few things scarier than losing control. After all, managing security is all about controlling and eliminating the variables in order to identify anomalies and reduce risk. To excel in a security role, you really have to be somewhat of a “control enthusiast,” and the nature of mobile and especially BYOD is such that the CISO loses some of that control.

BYOD means that the CISO no longer has a homogeneous environment with a complete inventory of devices and a nice clear view into each. End users are now in control of the device and make decisions about the make and model, what level of security to implement, what apps to install and even when or if they will install app patches or upgrade the operating system (OS). This leaves the CISO with the challenge of managing and securing a multiplatform and multi-OS environment, which is very different from how the CISO manages laptops and other remote devices.

With remote devices, the CISO deploys a standard hardware platform with a standard image and locks down that device. It can then be monitored remotely, with upgrades and changes pushed to it as needed. That is simply not the case with mobile devices.

What Do We Really Mean by Multi-OS?

This is where it gets interesting. In September, Apple released iOS 9 to the market. This was a highly anticipated launch, and end users couldn’t wait to get their hands on it. According to a press release from Apple, more than 50 percent of Apple devices had upgraded to the new OS in less than one week, which was the fastest rate of adoption for any release. The CISO suddenly had a significant number of devices accessing the enterprise with no idea what risks the new OS might introduce.

Less than two months later, the number of devices upgraded has grown to 66 percent, as measured by the devices accessing the Apple App Store. On the surface, that seems scary enough, but as I consumed that stat I came up with an interesting angle on this situation. While 50 percent, and now 66 percent, of the Apple devices in the market were suddenly running iOS 9, that means that the other 50 percent (now 34 percent) are running something else. The immediate thought is iOS 8, right? But that isn’t necessarily the case.

Many of those users that didn’t immediately upgrade to iOS 9 never upgraded to iOS 8, either — or, for that matter, any of the previous iOS iterations. When I looked at the Android platform I found a similar situation with adoption rates. The most recent Android report I could find was from before Android Marshmallow. It indicated that only about 23 percent of devices had been upgraded to Lollipop, with 38.9 percent running KitKat and 30.2 percent running Jelly Bean. Talk about a wide distribution of systems to support!

Embrace a Mobile Security Strategy That Eliminates Fear

Worrying about operating systems and mobile security strategies is not an irrational fear!

While a new OS represents its own challenges, the fact of the matter is that the CISO also has to worry about all previous versions of the system and the devices that have never been upgraded. These devices running older versions of the operating system may be even more dangerous than the newest upgrade since the older versions could have known security vulnerabilities.

Watch the on-demand webinar to Learn more about Surviving the Mobile Phenomenon

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…