Pokemon Go puts enterprises at risk

The trends in gaming that pose security risks to the enterprise

While many argue the benefits of Pokémon Go, there’s no doubt that there are real and perceived dangers in playing the game. Aside from the player’s physical security, (frightening sidenote: a native of my hometown was shot in San Francisco while playing the game) the application poses a significant risk to the security of corporate data. Below are eight statistics from a recent CloudLock report that show the risks of downloading Pokémon Go on a corporate device:

1. Pokémon Go only took one month to reach 100 million users

Pokémon Go reached the United States on July 6. Only one day later, the application was named the top downloaded iOS and Android game application and, shortly after, broke Apple download records. The application saw a fast rate of adoption, reaching 100 million users in just one month. Some of these users are authorizing the app with their corporate credentials (instead of a personal or a throw away account), opening the doors to huge corporate data exposure.

2. Users hunt Pokémon on average 33 minutes per day, 50% more than average daily Facebook use

A study by SensorTower shows iPhone users spend more time playing Pokémon Go than they do browsing Facebook, Snapchat, Twitter, or Instagram. In fact, the game is played for 50 percent more time than users spend on Facebook. With an app like Pokémon Go, you are authorizing it to act on behalf of you, whether you are online for 33 minutes or 24 hours does not matter, vulnerabilities are higher.

[ ALSO ON CSO: Pokemon Go: What security awareness programs should be doing now ]

 3. The number of installs using corporate credentials grew three times in the 12 days since the launch of the app

Pokémon Go announced a security vulnerability within the first weeks of the launch which made the headlines, but this didn’t stop users from downloading it. There was a three-fold increase in the number of employees who installed the app using corporate credentials between the first and second weeks after launch. These users unknowingly authorized the app (and the vendor) using their corporate credentials to act on behalf of them, exposing all of their corporate data and opening up wide gateways into corporate environments for cybercrime.

 4. Nearly half of all organizations have employees who granted access to Pokémon Go using their corporate credentials 

Based on CloudLock’s analysis of 900 corporate environments, 44 percent of all organizations have employees who used corporate credentials to grant Pokémon Go access. This presents a great deal of risks to corporate networks as connected third-party apps are able to view, delete, externalize, and store corporate data. 

5. On average, 5.8 percent of an organization’s employees have installed Pokémon Go   

Pokémon Go has attracted a wide array of users, most specifically those ages 25-34, which points to young professionals. While it only takes one employee to put corporate data at risk, an average of 5.8 percent of an organization’s employees have installed Pokémon Go. 

6. Some industries are seeing a greater impact 

CloudLock’s analysis revealed that one in two organizations have a Pokémon Go gateway into the corporate network with education, media and technology industries seeing the greatest impact. A K-12 institution, a university and a retailer were found with 4,468; 2,238 and 2,011 Pokémon Go users, respectively. Security professionals working in these spaces should pay close attention to the use of the app within their organizations with a huge number of employees opening up these gateways. 

7. Only 12 percent of affected institutions have banned the app 

Despite the vulnerabilities of Pokémon Go accessing corporate environments, only a small percentage of affected organizations have banned use of the application. CloudLock’s Q2 cybersecurity report found that 27 percent of third-party applications connected to corporate environments are risky. Even though the game has been publicized as risky, a vast majority of affected organizations have yet to revoke its access to their network.

8. Pokémon Go is not an outlier 

It is the norm. Before the launch of Pokémon Go, CloudLock identified more than 150,000 unique apps connecting to corporate cloud environments, a number that increased by 30x in the last two years. Organizations need to develop a high-level strategy as well as a specific Application Use Policy to decide how to whitelist or ban applications, and share this vision with their end users. As the pace of disruption has increased exponentially, apps have a huge reach within corporate environments, and they are spreading more and more quickly.

Copyright © 2016 IDG Communications, Inc.

8 pitfalls that undermine security program success