How secure are the devices connecting to enterprise assets?
Most enterprises have accepted that its employees will use their own various, often mobile devices to access company assets, and have realized that the defined, more easily secured network perimeter is a thing of the past. All that remains for them is to make sure these devices are secure as they can be.
Duo Security, whose two-factor authentication solution is installed on over 2 million devices (laptops, PCs, mobile phones and tablets), has a good vantage point for evaluating the the security health of these devices, as the authentication app collects data about devices, including details about OS, browser, Java and Flash versions.
Here is what they found:
- 2% of Windows users running unsupported OS versions, including Windows 8 and XP.
- 8% of Apple users are running unsupported versions of OS X (10.8 and earlier).
- 25% of all Windows devices are running outdated and unsupported versions of Internet Explorer. This may expose unpatched Windows users to more than 700 known vulnerabilities.
- 82% of Chrome users are up to date, compared to 66% of Firefox users, and 58%t of Edge and IE 11 users.
- 60% of Flash users and 72% of Java users are running an outdated version.
- 78% of the devices have Java uninstalled on their browsers, compared to only 20% of devices with Flash uninstalled.
The company posits that Chrome users may be more up to date than other browsers since Google rolls out updates and new versions automatically, without required approval from the user. Also, that Mac users are generally more up to date than Windows ones because Apple has less trouble that Microsoft with pushing out stable updates, and users are not reluctant to implement them.
Running outdated and unpatched OSes and software helps attackers find a way to compromise devices. And when these devices are used to access company assets, the danger is compounded.
Safety tips for businesses
Duo Security urges companies to:
- Use solutions that will allow IT admins insight into the security health of devices that are allowed to connect to company systems and networks
- Configure systems and deploy policies that enable automatic updates (where possible)
- Disable Java and prevent Flash from running automatically on corporate devices
- Encourage safe computing practices and good security hygiene (regular updating, using device encryption, securing the device with a passcode, etc.)