Unpatched Vulnerabilities in BYOD Environments Leave Organizations Exposed to Attacks

With botnets, DDoS attacks, and secret lists of exploits being all over the news in recent months, vulnerabilities should be top of mind for anyone who's concerned with cyber security, especially vulnerabilities in consumer devices.

While CISOs, IT administrators, and other security professionals will know better than to allow unsecured, vulnerable IoT devices in internal networks, the personal devices employees connect to networks can be just as risky.

BYOD environments, according to 2016 data from the Harvard Business Review, may actually be on the decline. However, more employees than ever are bringing personal devices to the office — perhaps even in defiance of organizational security requirements. "BYOD increased from 80% to 90% overall although the 'officially allowed' [BYOD policies] dropped by 18 percentage points," wrote Jane McConnell for the Harvard Business Review.

Those personal devices are often rife with known-yet-unpatched vulnerabilities.

Android devices, for example, are rarely updated by their users. In March 2017, Wired reported that "half of Android devices [went] unpatched in 2016." Even more chilling: "Less than three percent of Android phones run the operating system's latest version, Nougat." (Devices that run iOS have low update rates as well.)

Users remain the No. 1 weak link in security architecture. User reluctance to install updates and apply patches appears to be persistent. Such reluctance leaves their devices prone to exploits, obviously — but when those devices come into contact with corporate networks, the user's exposure becomes the organization's exposure.

It is likely that the best solution to the problem of user-introduced vulnerabilities is a combination of more robust network access control and better user education.

Network access control solutions can limit or block access for noncompliant devices. OPSWAT and OPSWAT's partners offer a number of solutions for more robust network access control.

User education is another major area where much progress can be made. Users may not fully comprehend the sheer volume of threats awaiting them and their employers on the internet — the place where they shop, socialize, read, entertain themselves, and conduct business every day. And they may not realize just how important it is to install updates and keep software updated in order to patch vulnerabilities.

They may not even be familiar with the concept of "vulnerabilities" or the necessity of security patches.

Five out of 6 users are not even aware of Android security patches, according to a recent survey. User obstinance would be an uncorrectable problem; user ignorance, on the other hand, can be addressed with training and education.

And finally, solutions like MetaDefender Endpoint Management can aid with the problem of vulnerable user devices by checking the security and compliance posture of all endpoint devices connected to a network.