The number of mobile cyber security attacks is continuing to grow. There are millions of mobile devices being infected by malicious code every day. The Ponemon Institute and IBM Security study, which researched security practices in over 400 large organizations, found that average companies only test their half of the mobile apps they develop. Around 50% of these organizations were found to devote zero budgets towards mobile application security.
“Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data, Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks. To help companies adopt smart mobile strategies, we've tapped the deep security expertise of IBM Security Trustee, bringing what we've learned from protecting the most sensitive data of complex organizations - such as top global banks - and applying it to mobile.” said Caleb Barlow, Vice President of Mobile Management and Security at IBM.
Attackers are taking advantage of insecure popular mobile applications, networks and more to break into highly confidential data on mobile devices. Furthermore, they’re also tapping mobile devices as a gateway to an organization’s broader, highly confidential internal network.
In research by Ponemon institute, they found some major security flaws in the ways which most organizations build and deploy mobile applications for their customers. Lack of security testing in the process of developing different mobile applications has made security difficult to achieve. Most of the organizations studied in the research are working with highly sensitive data, and include financial services, health and pharmaceutical, the public sector, entertainment and retail industries.
Each organization spends $34 million annually on average for mobile app development. However, only 5% of this budget is spent on ensuring that mobile apps are secure against cyber attacks before they are made available to users. Almost half of the organizations devote no budget for security.
Why Is Mobile Application Security Difficult to Achieve?
According to the research, the majority of organizations state that the security of their apps is often put at risk because of customer demand or need, whereas “Rush to Release” is the primary reason why mobile apps contain vulnerable code. And this is the few companies that actually do scan for vulnerabilities before deploying apps in the market.
The main reason behind the lack of mobile application security is the lack of security testing, possibility of data leakage from applications, and malware-infected devices and apps. The Ponemon research states that 65% organizations release apps with security risk because of customer requirements and pressure to release quickly.
Research revealed that there will be an increase in the incidence of malware infected mobile apps in the next 12 months. Because of this, around 60% of the organizations being researched consider mobile app security a high priority.
What Are Organizations Doing to Reduce this Threat?
Expertise and the budget play an important role when it comes to preventing and reducing malicious, infected and insecure mobile applications. Companies should raise their budget and expertise level to detect suspicious activities on mobile endpoints, and stop malware the moment a device is breached.
This can be done when an organization has sufficient mobile application security expertise, enough resources to detect vulnerabilities in mobile apps and also strategies to prevent the usage of vulnerable or malware-infected mobile apps.
The statistics show that approximately 41% of organizations that have sufficient mobile application expertise, and around 30% have enough resources to detect vulnerabilities in mobile apps. It states that organizations are working towards securing their mobile apps to overcome this security challenge.
What Areas Need Focus?
According to the Ponemon study, though most employees are “heavy users of apps,” over half state their organization does not have a policy which defines the acceptable use of mobile apps in the workplace. So, taking initiative towards making new strong strategies and policies to monitor the applications in the workplace and the devices that are accessing the company’s network should be considered.
Most employees are not aware of malicious apps and are easily got tricked by attackers. So, it is highly recommended to increase the budget so that regular employee awareness sessions and training can be conducted.
Whereas trusted application and complete pen-testing should be done on the application that a company is working on or building. Increasing the organization’s budget can help to increase the security testing and expertise in an organization.
Simply put, organizations should spend more to get secure.
The following are some recommendations to improve your organization’s state of mobile application insecurity:
- Test mobile apps on a regular basis
- Conduct employee awareness sessions and training
- Ensure the “rush to release” mobile apps does not impact coding practices
- Increase the budget for mobile application security
- Create policies and procedures to control employees’ risky behaviors
There are many factors that are affecting the mobile app’s security; somehow most of them are related to the deficiency of the organization and its policies. Organizations are required to think and work more for the security aspect of their application products. So, security risks regarding the mobile application can be prevented.
About the Author
Irfan Shakeel is a renowned cyber security trainer specializes in network security, threat management and digital forensics. At EH Academy, Irfan provides online cyber security training with other known instructors. Follow him @irfaanshakeel