Some 60% of endpoints containing or accessing enterprise data are now mobile–and the majority of those do not have adequate security protections, according to Zimperium’s State of Enterprise Mobile Security Report, released Wednesday.

More than a quarter (27%) of enterprise mobile endpoints were exposed to device threats in the first half of 2019, the report found. Increasing the risk of mobile endpoint exposure is the fact that users are the admins on these devices, and fail to perform basic cyber hygiene practices including updating their OS and setting a PIN code.

SEE: Mobile device security: Tips for IT pros (free PDF) (TechRepublic)

Zimperium analyzed data from more than 45 million anonymized endpoints across hundreds of customers. Overall, both iOS and Android vendors created patches for 440 security vulnerabilities in the first half of 2019, the report found.

Apple patched 185 CVEs (Common Vulnerabilities and Exposures), an increase from 120 during the same timeframe last year. Some 62% of the CVEs were considered “critical” security risks, while 25% were considered moderate risk, and 13% were considered low risk.

Android patched 255 CVEs in the first half of the year, a decrease from 492 the year before, the report found. Only 20% of Android CVEs were categorized as “critical,” while 79% were considered high risk, and 2% were considered low risk.

When it comes to installing OS patches and updates, Android devices continue to lag behind iOS ones, the report found: 60% of Android devices studied were more than five versions behind the latest release, compared to only 28% of iOS devices. Perhaps most notably, 38% of Android devices were on version 6.0.1—seven versions behind the latest one.

While it’s difficult to compare Apple and Android patches—as Apple’s are more frequent and granular—this is still a significant difference, the report noted.

Many of the device risks found were consistent between enterprise and consumer users, the report found, including lack of a PIN passcode and lack of encryption, along with being open to enabling mobile app development and USB debugging.

“It is no longer a matter of if or when an enterprise’s mobile endpoints are at risk—they already are,” the report stated. “As attackers continue to get more creative and take advantage of the lack of mobile security/visibility, mobile risks and threats are increasing in both quantity and

For more, check out Executive’s guide to mobile security (free ebook) on TechRepublic.

Also see

Image: Angela Lang/CNET