Many organizations are adopting mobile applications and deploying devices and apps connected to the Internet of Things, but are not taking enough actions to shore up the security risks associated with those apps.
That’s a key conclusion of a survey conducted by the Ponemon Institute, the “2017 Study on Mobile and Internet of Things Application Security,” which was sponsored by IBM and Arxan Technologies, a software security firm.
Mobile and IoT Application Security Fears Abound
According to the survey, many organizations are worried about an attack against mobile and IoT apps that are used in the workplace. Respondents said they are slightly more concerned about getting hacked through an IoT app (58 percent) than a mobile app (53 percent).
However, despite their concerns, organizations are not mobilizing against the threats, according to the survey. Forty-four percent of respondents said they are taking no steps and 11 percent are unsure if their organization is doing anything to prevent such attacks.
Malware is believed to pose a greater threat to mobile apps than IoT apps, Ponemon found. Fully 84 percent of respondents said they are very concerned about the threat of malware to mobile apps and 66 percent of respondents say they are very concerned about this threat to IoT apps.
Organizations acknowledged that bringing mobile and IoT apps into the workplace can lead to increased security risks. Seventy-nine percent of respondents say the use of mobile apps increases security risk very significantly or significantly, and 75 percent say the same thing about IoT apps.
One major potential reason for concern is that organizations have little to no confidence that they know about all mobile and IoT apps that are in the workplace. The survey found that 63 percent of respondents are not confident (30 percent) or have no confidence (33 percent) that their organizations know all of the mobile apps used by employees.
An even larger percentage of respondents (75 percent) are not confident (38 percent) or have no confidence (37 percent) that they know all of the IoT apps in the workplace. However, respondents estimate that the average number of mobile apps in their organizations is 472 and the average number of IoT apps is 241.
Little Urgency to Address Mobile and IoT App Risks
Mobile and IoT risks exist because end-user convenience is considered more important than security, the survey found. The security of apps often does not receive the priority it needs because of the pressure to ensure that mobile and IoT apps are easy to use, according to the survey.
Ponemon found that 62 percent of respondents rate end-user convenience as important when building and/or deploying mobile apps in the workplace, and 68 percent of respondents rate end-user convenience as an important consideration when building and/or deploying IoT apps in the workplace.
Further, the survey found that the people seen as most responsible for mobile and IoT security are not traditional arbiters of IT security like CISOs.
Only 15 percent of respondents say the CISO is most responsible for the security of mobile apps in the workplace, and only 11 percent of respondents say application development is primarily responsible. In the case of IoT apps, only 5 percent of respondents say the CISO is primarily responsible.
For mobile apps, the CIO/chief technology officer is considered most responsible (32 percent), followed by the head of a line of business (20 percent). For IoT apps, the head of application and lines of business are considered most responsible (31 percent and 21 percent of respondents, respectively).
Despite the risk, there is a lack of urgency to address the threat. Only 32 percent of respondents say their organization urgently wants to secure mobile apps and 42 percent say it is urgent to secure IoT apps.
Some of the factors behind the disconnect between the acknowledgment of security threats and a lack of urgency to address them include not enough budget being allocated to the security of these apps, and that the individuals most often responsible for stopping attacks are not in a CISO role.
Arxan CTO Sam Rehman said that there is also a misunderstanding in many organizations about what “hacking” means. “Most people look at hacking as, ‘I lost data,’ ” he said. That fails to acknowledge, however, that users and companies first opened the door to hackers via weak security, and that hacks happen on end-user devices as opposed to via breaches of firewalls. Rehman said most companies tend to overinvest in network security compared to what their risk profiles are.
Ponemon surveyed 593 IT and IT security practitioners who are involved in the security of mobile and IoT apps and are familiar with their organization’s security practices during the development of these apps and devices. Organizations participating in this study included users of mobile apps and IoT devices (44 percent and 48 percent, respectively), developers/manufacturers of mobile apps and IoT devices (27 percent and 21 percent, respectively) or both (29 percent and 31 percent, respectively).