Today’s organizations are releasing mobile and Internet of Things (IoT) applications at a breathtaking pace. According to recent research, more than 4 million Android and iOS applications are currently in production, with thousands more being released every month.

IBM client Cisco, meanwhile, predicted that the estimated value of the global IoT market will reach $14.4 trillion by 2022 and that organizations will invest more than $2 trillion into IoT initiatives. This includes improving customer service, reducing time to market, streamlining supply chain and logistics projects, lowering overall costs and boosting employee productivity.

Key Findings From the Ponemon Application Security Testing Survey

If your organization has been slow to accept the risks associated with unsecured mobile and IoT applications, the results of our independently conducted “2017 State of Mobile & Internet of Things (IoT) Application Security Study,” sponsored by IBM and Arxan, suggest that now is the time to start.

Download the complete Ponemon Study now

Here are 10 key findings from our study, which included 593 responses from IT and application security practitioners.

1. Widespread Worry Over Mobile and IoT Application Security

Respondents are slightly more concerned about potentially getting hacked through IoT applications (58 percent) than mobile applications (53 percent), but both of the figures reflect high percentages. Despite their concern, however, few organizations are mobilized against these threats. Forty-four percent of respondents said they had taken no steps toward such a mobilization, and 11 percent were unsure whether their organizations were doing anything to prevent such attacks.

2. Material Data Breaches Result From Mobile and IoT Insecurity

While 11 percent of respondents reported that they knew with certainty that their organization had experienced a security incident as a result of insecure mobile applications, 15 percent indicated that they “most likely” knew and 34 percent reported that they “likely” knew that information. Respondents reported that they were less certain whether their organization experienced a material data breach or cyberattack due to insecure IoT applications. In total, 46 percent said they knew with certainty (4 percent), most likely knew (11 percent) or likely knew (31 percent) that their organization had sustained an attack that resulted from insecure IoT applications.

3. Mobile and IoT Applications Are Threats to Organizations’ Strong Security Postures

Seventy-nine percent of respondents said the use of mobile applications increases security risk significantly or very significantly, while 75 percent indicated that IoT applications had the same effect.

4. There’s a High Level of Concern for Insecure Mobile and IoT Applications

Seventy percent of respondents reported that they were very concerned about the use of insecure IoT applications. Similarly, 64 percent said they were very concerned about the use of insecure mobile applications in the workplace.

5. Organizations Are Not Confident That They Know All the Mobile and IoT Applications Being Utilized in the Workplace

Surprisingly, 63 percent of respondents are not confident (30 percent) or have no confidence (33 percent) in their organization’s ability to keep track of all the mobile applications their employees use. Even more concerning, 75 percent are not confident (38 percent) or have no confidence (37 percent) that they know all the IoT applications in the enterprise. However, respondents estimated that employees in their organizations actively use, on average, 472 mobile and 241 IoT applications.

[onespot-mobile-content]

6. Potential Incidents and New Regulations Drive Budgetary Growth in Application Security

Only 30 percent of respondents said their organization allocates sufficient budget to protect mobile applications and IoT devices. If the organization experienced a serious security incident, 54 percent of respondents indicated that they would most likely consider increasing their security budgets. Meanwhile, 46 percent of respondents said their organization would likely increase IT budgets to prepare for new regulations, and 25 percent reported that media coverage of a serious data breach would encourage their organizations to do the same.

7. Rush to Release Is the Primary Reason Why Mobile and IoT Applications Contain Vulnerable Code

Sixty-nine percent of respondents cited pressure on the development team as the primary reason why mobile applications contain vulnerable code, and 75 percent pointed to the same issue as a source of vulnerability for IoT applications. Accidental coding errors in mobile and IoT applications also result in vulnerable code, according to 65 percent of respondents. A lack of internal policies or rules that clarify security requirements can also negatively affect application security.

8. There Is a Lack of Urgency to Address Risks

Only 32 percent of respondents said their organization urgently wants to secure mobile applications and 42 percent said they feel similarly pressured to secure IoT applications. This lack of urgency may be due to a low application security budget, or an organizational failure to delegate data protection to a dedicated IT leader. Rather, application and data protection reside in lines of business, development or engineering.

9. Application Security Testing Is Performed on an Ad-Hoc Basis, If at All.

Organizations may recognize the risk, but, as mentioned above, many are slow to react. This lack of urgency is reflected in mobile and IoT application security practices: Thirty-five percent of respondents said their organization did not preschedule application security testing, while 26 percent indicated that their company failed to conduct testing at all. Nearly half (48 percent) reported that their organization did not test of IoT applications.

On average, only 29 percent of mobile applications and 20 percent of IoT applications are tested for vulnerabilities. An average of 30 percent of mobile apps and 38 percent of IoT apps tested contained significant vulnerabilities.

10. Application Security Testing Is Frequently Delayed Until Production

Fifty-eight percent of respondents said their organization typically waits until production to test IoT applications and 39 percent indicated that mobile applications were tested during production.

Learn More About Application Security Testing

To learn how your organization can combat the mobile and IoT risks identified in our study, please watch the on-demand webinar. You can also download a complimentary copy of our comprehensive study results.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today