Reports released this week found that outdated versions of Flash and Java are common, mobile apps are still insecure and data breaches hurt consumer confidence.
This past week was another busy week for security research and statistical reports covering a diverse array of topics, including phone fraud, patching levels, mobile apps and distributed denial-of-service (DDoS) costs.
in a May 10 report found that 25 percent of all Windows devices are running outdated and unsupported versions of Internet Explorer. Examining the update status for the major browsers, Duo Security found that Google's Chrome browser is the best, with 82 percent of users up-to-date. In contrast, only 66 percent of Firefox browser users are running the latest version, which is still better than Microsoft's Edge and Internet Explorer 11 users at a 58 percent update rate.
Beyond just the browser, plug-ins are also out-of-date on the majority of systems. Duo Security reported that 72 percent of the systems it surveyed were running an outdated version of Java, while 60 percent were running an out-of-date version of Flash.
in a May 11 study examined IT professional confidence in data breach detection skills. The report reveals contradictory results about how IT professionals view their security response readiness for a potential incident.
Somewhat aligned with Duo Security's findings, Tripwire's research showed that not all organizations are patching all systems quickly. In fact, 40 percent of organizations polled admitted to applying less than 80 percent of patches successfully.
Tripwire found that 92 percent of respondents indicated that their organization's vulnerability scanning systems would generate an alert within minutes or hours if an unauthorized device was discovered on the network. That said, 77 percent, admitted that they can only automatically discover 80 percent or less of the devices on their networks, which means there is a visibility gap.
Additionally, 29 percent of organizations are unable to detect all file access attempts that are made without the appropriate privileges, according to Tripwire.
A number of studies looked at security-related costs due to vulnerabilities and breaches. FireEye
released its data breach cost report on May 10, revealing that 76 percent of respondents would likely take their business away from a vendor that had demonstrated negligent data handling practices.
The study also found that more than half (52 percent) of consumers would consider paying a premium for a product or services in order to get better data security. The same percentage of consumers also noted that security is an important buying consideration for products and services.
Emerson Network Power
in a May 12 report provided insight into DoS-related costs. The report found that from 2010 to 2015, DoS attack frequency increased by 59 percent. For 2015, Emerson Network Power reported that a total outage DoS attack had an average cost of $610,300 while attacks that did not result in a total outage had an average cost of $36,800.
in a May 10 report examined the state of phone fraud and its related costs. Among the top findings of the reports is that in 2015 an average of $0.65 was lost to fraud per call. As such, Pindrop estimates that a call center that receives 40 million calls per year could lose as much as $27 million a year from phone fraud.
Mobile App Security
Mobile security vendor Wandera
published a report this past week on the security of 10 top enterprise apps. Shockingly, Wandera found that all 10 of the top 10 apps analyzed were vulnerable to at least three of the OWASP (Open Web Application Security Project) top 10 mobile risks.
In summary, out-of-date versions of Flash and Java are still common, phone fraud is a costly problem, mobile apps are still insecure and data breaches impact the confidence of consumers. Most of the results weren't surprising, given the trends that have been common in the past few years, but once again, seeing data provides a degree of validation that the trends are real.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist