Just four per cent of enterprise mobile devices have been patched to protect against the Meltdown and Spectre vulnerabilities discovered in modern processors.
According to an analysis of corporate-owned and managed mobile devices by security firm Bridgeway, mobile security is not as much of a priority as more traditional PC and server security concerns.
However, the company said these devices increasingly hold significant amounts of sensitive corporate data, meaning they also require robust security measures.
The research found that at least 72 per cent of devices are still exposed to these vulnerabilities, while a further 24 per cent is also thought to be vulnerable, but currently impossible to patch due to age.
Bridgeway said these older mobile devices are typically running obsolete versions of operating systems (OS), such as versions of Android older than Marshmallow, which may never be patched by vendors and mobile network operators. This is because they will be unsupported by their hardware and OS manufacturers. In these cases, the only option is to replace the devices.
Jason Holloway, Bridgeway managing director, said: “It’s worrying that only four per cent of organisations have applied updates to protect their devices against Meltdown and Spectre: it means the majority of companies are needlessly exposing their users, devices and more importantly, corporate data, to the risk of interception and exfiltration.
“Mobile devices are the new target for hackers, who will be looking to exploit these flaws as quickly as they can. Organisations need to patch their mobile devices now, before they can be targeted.”
Bridgeway advised organisations to check device manufacturers’ websites for the availability of updates, and to systematically apply them across their device estates as soon as possible.
It also advised that companies consider an enterprise mobile management solution to disable untrusted sources, prevent the user installing potentially malicious apps that could exploit the vulnerability, and to validate that the devices and apps accessing corporate networks are secured, managed, and authorised.