Despite widespread concern about the security of mobile and Internet of Things applications, organizations are ill-prepared for the risks they pose, according to research conducted by the Ponemon Institute.
Mobile and IoT applications are distributed, out in the wild, and easy targets for attackers. While mobile apps have been around for some time, most companies have not protected the binary code on these apps, which allows for an easy entry for attackers. In contrast, IoT is new and growing at a record pace, and while various components of the IoT infrastructure are vulnerable, apps with embedded software in gateways and the cloud are at a greater risk.
Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace. Organizations are having a more difficult time securing IoT apps. Respondents are slightly more concerned about getting hacked through an IoT app (fifty-eight percent) than a mobile app (fifty-three percent). However, despite their concern, organizations are not mobilizing against this threat. Forty-four percent of respondents say they are taking no steps and eleven percent are unsure if their organization is doing anything to prevent such an attack.
Material data breach or cyber attacks have occurred and are reasons for concern. Sixty percent of respondents know with certainty (eleven percent), most likely (fifteen percent) or likely (thirty-four percent) that their organization had a security incident because of an insecure mobile app. Respondents are less certain whether their organization has experienced a material data breach or cyber attack due to an insecure IoT app. Forty-six percent of respondents say with certainty (four percent), most likely (eleven percent) or likely (thirty-one percent).
The risk of unsecured IoT apps is growing. Respondents report IoT apps are harder to secure (eighty-four percent) versus mobile apps (sixty-nine percent). Additionally, fifty-five percent of respondents say there is a lack of quality assurance and testing procedures for IoT apps.
Despite the risk, there is a lack urgency to address the threat. Only thirty-two percent of respondents say their organization urgently wants to secure mobile apps and forty-two percent of respondents say it is urgent to secure IoT apps.
“Factors revealed in this study may help to explain the lack of urgency,” said Dr. Larry Ponemon, Chair and Founder of Ponemon Institute. “Respondents voiced minimal budget allocation, and those responsible for stopping attacks are not in the security function, but rather other lines of business. Without proper budget or oversight, these threats aren’t being taken seriously and it should come as no surprise for mobile and IoT applications to be the culprit of major data breaches to come.”
Not enough resources are being allocated… yet.
Only thirty percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. If they had a serious hacking incident, their organizations would consider increasing the budget (fifty-four percent of respondents). Other reasons to increase the budget are if new regulations were issued (forty-six percent of respondents) or media coverage of a serious hacking incident affecting another company occurred (twenty-five percent of respondents).
“Mobile and IoT applications continue to be released at a rapid pace to meet user demand. If security isn’t designed into these apps there could be significant negative impacts,” said Diana Kelley, Global Executive Security Advisor, IBM Security. “Organizations are at risk and cybercriminals know where the soft spots are. Raising awareness of application security in the enterprise is a critically important first step toward a more secure future for businesses and consumers.”