Mobile and IoT applications continue to be released at a rapid pace to meet user demands, and despite widespread concern about their security, organizations are still ill-prepared for the risks they pose. In fact, for many apps, security isn't built in. Too often, the binary code is left unprotected, which allows for an easy entry for hackers and heightens the potential negative impact not only for the organization but also their customers.
A new report from Ponemon Institute, IBM Security, and Arxan, examined the practices and opinion amongst IT and IT security practitioners titled “2017 Study on Mobile and Internet of Things Application Security”. The report found that IoT and mobile app security is at considerable risk, as confusion of who owns security within the development, testing and implementation process remains in question. This highlights the laissez-faire attitude toward the security of mobile and IoT applications.
Let’s take a look at some of the detailed findings.
- Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace - Organizations are having a more difficult time securing IoT apps. In fact, respondents are slightly more concerned about getting hacked through an IoT app (58 percent) than a mobile app (53 percent). However, despite their concern, organizations are not mobilizing against the threat. Forty-four percent of respondents say they are taking no steps and 11 percent are unsure if their organization is doing anything to prevent such an attack.
- 63% are not confident or have no confidence their organizations know all of the mobile applications used by employees - An even larger percentage of respondents (75 percent) are not confident (38 percent) or have no confidence (37 percent) they know all of the IoT apps in the workplace. However, respondents estimate that the average number of mobile apps in their organizations is 472 and the average number of IoT apps is 241.
- The functions most responsible for mobile and IoT security are outside the security function - Only 15 percent of respondents say the CISO is most responsible and only 11 percent of respondents say application development is primarily responsible for security of apps. In the case of IoT apps, only 5 percent of respondents say the CISO is primarily responsible. Instead, the head of product engineering and lines of business are most responsible (31 percent and 21 percent of respondents, respectively).
- Hacking incidents and regulations drive growth in budgets - Only 30 percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. If they had a serious hacking incident, their organizations would consider increasing the budget (54 percent of respondents). Other reasons to increase the budget are if new regulations were issued (46 percent of respondents) or if they were exposed to media coverage of a serious hacking incident affecting another company (25 percent of respondents).
- Only 32% of respondents say their organization urgently wants to secure mobile apps - In fact, only 42 percent of respondents say it is urgent to secure IoT apps. Factors revealed in the study that might explain the lack of urgency include: not enough budget being allocated to the security of these apps and the individuals most often responsible for stopping attacks are not in the security function. Rather, they reside in the lines of business, development or engineering.
- Material data breach or cyber attacks have occurred and are reasons for concern - Respondents report they know with certainty (11 percent), or most likely (15 percent) or likely (34 percent) that their organization had a security incident because of an insecure mobile app. Respondents report they are less certain whether their organization had a material data breach or cyber attack due to an insecure IoT app. Forty-six percent of respondents say with certainty (4 percent), most likely (11 percent) or likely (31 percent).
- Almost half (48 percent of respondents) say security testing of IoT apps does not occur - On average only 29 percent of mobile apps and 20 percent of IoT apps are tested for vulnerabilities. An average of 30 percent of mobile apps tested contain vulnerabilities and an average of 38 percent of IoT apps tested contain significant vulnerabilities.
- Rush to release is the main reason why both mobile and IoT apps contain vulnerable code- Sixty-nine percent of respondents say pressure on the development team is why mobile apps contain vulnerable code and 75 percent of respondents say the same reason contributes to vulnerable code in IoT apps. Accidental coding errors in mobile and IoT apps are another primary reason for vulnerable code (65 percent of respondents). An additional issue affecting the security of apps is the lack of internal policies or rules that clarify security requirements.