10 Key Findings From the Ponemon Institute’s Mobile & IoT Application Security Testing Study
Today’s organizations are releasing mobile and Internet of Things (IoT) applications at a breathtaking pace. According to recent research, more than 4 million Android and iOS applications are currently in production, with thousands more being released every month.
IBM client Cisco, meanwhile, predicted that the estimated value of the global IoT market will reach $14.4 trillion by 2022 and that organizations will invest more than $2 trillion into IoT initiatives. This includes improving customer service, reducing time to market, streamlining supply chain and logistics projects, lowering overall costs and boosting employee productivity.
Key Findings From the Ponemon Application Security Testing Survey
If your organization has been slow to accept the risks associated with unsecured mobile and IoT applications, the results of our independently conducted “2017 State of Mobile & Internet of Things (IoT) Application Security Study,” sponsored by IBM and Arxan, suggest that now is the time to start.
Here are 10 key findings from our study, which included 593 responses from IT and application security practitioners.
1. Widespread Worry Over Mobile and IoT Application Security
Respondents are slightly more concerned about potentially getting hacked through IoT applications (58 percent) than mobile applications (53 percent), but both of the figures reflect high percentages. Despite their concern, however, few organizations are mobilized against these threats. Forty-four percent of respondents said they had taken no steps toward such a mobilization, and 11 percent were unsure whether their organizations were doing anything to prevent such attacks.
2. Material Data Breaches Result From Mobile and IoT Insecurity
While 11 percent of respondents reported that they knew with certainty that their organization had experienced a security incident as a result of insecure mobile applications, 15 percent indicated that they “most likely” knew and 34 percent reported that they “likely” knew that information. Respondents reported that they were less certain whether their organization experienced a material data breach or cyberattack due to insecure IoT applications. In total, 46 percent said they knew with certainty (4 percent), most likely knew (11 percent) or likely knew (31 percent) that their organization had sustained an attack that resulted from insecure IoT applications.
3. Mobile and IoT Applications Are Threats to Organizations’ Strong Security Postures
Seventy-nine percent of respondents said the use of mobile applications increases security risk significantly or very significantly, while 75 percent indicated that IoT applications had the same effect.
4. There’s a High Level of Concern for Insecure Mobile and IoT Applications
Seventy percent of respondents reported that they were very concerned about the use of insecure IoT applications. Similarly, 64 percent said they were very concerned about the use of insecure mobile applications in the workplace.
5. Organizations Are Not Confident That They Know All the Mobile and IoT Applications Being Utilized in the Workplace
Surprisingly, 63 percent of respondents are not confident (30 percent) or have no confidence (33 percent) in their organization’s ability to keep track of all the mobile applications their employees use. Even more concerning, 75 percent are not confident (38 percent) or have no confidence (37 percent) that they know all the IoT applications in the enterprise. However, respondents estimated that employees in their organizations actively use, on average, 472 mobile and 241 IoT applications.
6. Potential Incidents and New Regulations Drive Budgetary Growth in Application Security
Only 30 percent of respondents said their organization allocates sufficient budget to protect mobile applications and IoT devices. If the organization experienced a serious security incident, 54 percent of respondents indicated that they would most likely consider increasing their security budgets. Meanwhile, 46 percent of respondents said their organization would likely increase IT budgets to prepare for new regulations, and 25 percent reported that media coverage of a serious data breach would encourage their organizations to do the same.
7. Rush to Release Is the Primary Reason Why Mobile and IoT Applications Contain Vulnerable Code
Sixty-nine percent of respondents cited pressure on the development team as the primary reason why mobile applications contain vulnerable code, and 75 percent pointed to the same issue as a source of vulnerability for IoT applications. Accidental coding errors in mobile and IoT applications also result in vulnerable code, according to 65 percent of respondents. A lack of internal policies or rules that clarify security requirements can also negatively affect application security.
8. There Is a Lack of Urgency to Address Risks
Only 32 percent of respondents said their organization urgently wants to secure mobile applications and 42 percent said they feel similarly pressured to secure IoT applications. This lack of urgency may be due to a low application security budget, or an organizational failure to delegate data protection to a dedicated IT leader. Rather, application and data protection reside in lines of business, development or engineering.
9. Application Security Testing Is Performed on an Ad-Hoc Basis, If at All.
Organizations may recognize the risk, but, as mentioned above, many are slow to react. This lack of urgency is reflected in mobile and IoT application security practices: Thirty-five percent of respondents said their organization did not preschedule application security testing, while 26 percent indicated that their company failed to conduct testing at all. Nearly half (48 percent) reported that their organization did not test of IoT applications.
On average, only 29 percent of mobile applications and 20 percent of IoT applications are tested for vulnerabilities. An average of 30 percent of mobile apps and 38 percent of IoT apps tested contained significant vulnerabilities.
10. Application Security Testing Is Frequently Delayed Until Production
Fifty-eight percent of respondents said their organization typically waits until production to test IoT applications and 39 percent indicated that mobile applications were tested during production.
Learn More About Application Security Testing
To learn how your organization can combat the mobile and IoT risks identified in our study, please watch the on-demand webinar. You can also download a complimentary copy of our comprehensive study results.