With bring your own device (BYOD) policies becoming more and more common in the workplace, this report is a prime example of how an organization may be left vulnerable if these policies are not properly implemented. Organizations need to ensure that employees are properly updating devices in an efficient manner. Failure to keep devices current could lead to those devices becoming the vector for initial access within an environment. An attacker may use a compromised device to access email, communication platforms, passwords, or to pull contacts for more targeted phishing attacks.
User education regarding keeping devices up to date is important in BYOD environments, but user education isn’t effective alone with many people continuing to fall victim to the same attacks. With this in mind, the best ways to minimize risk would be to have limit BYOD as much as possible and ensure users are using a VPN when accessing corporate information from their personal device.
https://www.bleepingcomputer.com/news/security/us-govt-employees-exposed-to-mobile-attacks-from-outdated-android-ios/
