2017 Study on Mobile and Internet of Things Application Security

Ponemon Institute just released the findings from the 2017 Study on Mobile and Internet ofThings Application Security sponsored by IBM and Arxan Technologies. The purpose of this research is to understand how companies are reducing the risk of mobile apps and Internet of Things (IoT) in the workplace.

The risks created by mobile apps have been well researched and documented. This study reveals how companies are unprepared for risks created by vulnerabilities in IoT apps. We surveyed 593 IT and IT security practitioners who are involved in the security of mobile and IoT application security and familiar with their organization’s security practices during the development of these applications and devices.

Organizations participating in this study are users of mobile apps and IoT devices (44 percent and 48 percent, respectively), developers/manufacturers of mobile apps and IoT devices (27 percent and 21 percent, respectively) or both users and developers of mobile apps and IoT devices (29 percent and 31 percent, respectively).

The risk of unsecured IoT apps is growing. Respondents acknowledge the risk of security vulnerabilities in both mobile and IoT apps. More respondents are likely to say IoT apps are harder to secure (84 percent) versus mobile apps (69 percent). Additionally, 55 percent of respondents say there is a lack of quality assurance and testing procedures for IoT apps.

Following are key findings from this research:

Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace.

As discussed previously, organizations are having a more difficult time securing IoT apps. In fact, respondents are slightly more concerned about getting hacked through an IoT app (58 percent) than a mobile app (53 percent). However, despite their concern organizations are not mobilizing against the threat. Forty-four percent of respondents say they are taking no steps and 11 percent are unsure if their organization is doing anything to prevent such an attack.

Malware is believed to pose a greater threat to mobile than IoT apps.

Eighty-four percent of respondents are very concerned about the threat of malware to mobile apps and 66 percent of respondents say they are very concerned about this threat to IoT apps.

The use of mobile and IoT apps are threats to a strong security posture.

Seventy-nine percent of respondents say the use of mobile apps and 75 percent of respondents say the use of IoT apps increase security risk very significantly or significantly.

Organizations have no confidence or are not confident they know all mobile and IoT apps in the workplace.

Sixty-three percent of respondents are not confident (30 percent) or have no confidence (33 percent) their organizations know all of the mobile applications used by employees. An even larger percentage of respondents (75 percent) are not confident (38 percent) or have no confidence (37 percent) they know all of the IoT apps in the workplace. However, respondents estimate that the average number of mobile apps in their organizations is 472 and the average number of IoT apps is 241.

Mobile and IoT risks exist because end-user convenience is considered more important than security.

The security of apps often does not receive the priority it needs because of the pressure to ensure mobile and IoT apps are easy to use. Sixty-two percent of respondents rate end-user convenience when building and/or deploying mobile apps in the workplace as important and 68 percent of respondents rate end-user convenience when building and/or deploying IoT apps in the workplace as important considerations.

The functions most responsible for mobile and IoT security are outside the security function.

Only 15 percent of respondents say the CISO is most responsible and only 11 percent of respondents say application development is primarily responsible for security of apps. In the case of IoT apps, only 5 percent of respondents say the CISO is primarily responsible. Instead, the head of product engineering and lines of business are most responsible (31 percent and 21 percent of respondents, respectively).

Hacking incidents and regulations drive growth in budgets.

Only 30 percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. If they had a serious hacking incident, their organizations would consider increasing the budget (54 percent of respondents). Other reasons to increase the budget are if new regulations were issued (46 percent of respondents) or if they were exposed to media coverage of a serious hacking incident affecting another company (25 percent of respondents).

Despite the risk, there is a lack urgency to address the threat.

Only 32 percent of respondents say their organization urgently wants to secure mobile apps and 42 percent of respondents say it is urgent to secure IoT apps. Factors revealed in this study that might explain the lack of urgency include the following: not enough budget being allocated to the security of these apps and the individuals most often responsible for stopping attacks are not in the security function. Rather, they reside in the lines of business, development or engineering.

Material data breach or cyber attacks have occurred and are reasons for concern.

Respondents report they know with certainty (11 percent), or most likely (15 percent) or likely (34 percent) that their organization had a security incident because of an insecure mobile app. Respondents report they are less certain whether their organization had a material data breach or cyber attack due to an insecure IoT app. Forty-six percent of respondents say with certainty (4 percent), most likely (11 percent) or likely (31 percent).

There is a high level of concern for insecure mobile and IoT apps.

Seventy percent of respondents are very concerned about the use of insecure IoT apps and 64 percent are very concerned about the use of insecure mobile applications in the workplace.

Testing of mobile and IoT apps is ad hoc, if done at all.

As discussed above, organizations may recognize the risk but a sense of urgency to mitigate the risk does not exist. This lack ofurgency is reflected in mobile and IoT app security practices. Thirty-five percent of respondentss ay testing is not pre-scheduled or does not occur at all (26 percent of respondents). Almost half(48 percent of respondents) say testing of IoT apps does not occur. On average only 29 percent of mobile apps and 20 percent of IoT apps are tested for vulnerabilities. An average of 30 percentof mobile apps tested contain vulnerabilities and an average of 38 percent of IoT apps tested contain significant vulnerabilities.

Testing of mobile and IoT apps often does not occur until production.

Fifty-eight percent ofrespondents say their organization waits until production to test their mobile apps and 39 percentof respondents say mobile apps are tested in production.