Today’s organizations are releasing mobile and Internet of Things (IoT) applications at a breathtaking pace. According to recent research, more than 4 million Android and iOS applications are currently in production, with thousands more being released every month.

IBM client Cisco, meanwhile, predicted that the estimated value of the global IoT market will reach $14.4 trillion by 2022 and that organizations will invest more than $2 trillion into IoT initiatives. This includes improving customer service, reducing time to market, streamlining supply chain and logistics projects, lowering overall costs and boosting employee productivity.

Key Findings From the Ponemon Application Security Testing Survey

If your organization has been slow to accept the risks associated with unsecured mobile and IoT applications, the results of our independently conducted “2017 State of Mobile & Internet of Things (IoT) Application Security Study,” sponsored by IBM and Arxan, suggest that now is the time to start.

Download the complete Ponemon Study now

Here are 10 key findings from our study, which included 593 responses from IT and application security practitioners.

1. Widespread Worry Over Mobile and IoT Application Security

Respondents are slightly more concerned about potentially getting hacked through IoT applications (58 percent) than mobile applications (53 percent), but both of the figures reflect high percentages. Despite their concern, however, few organizations are mobilized against these threats. Forty-four percent of respondents said they had taken no steps toward such a mobilization, and 11 percent were unsure whether their organizations were doing anything to prevent such attacks.

2. Material Data Breaches Result From Mobile and IoT Insecurity

While 11 percent of respondents reported that they knew with certainty that their organization had experienced a security incident as a result of insecure mobile applications, 15 percent indicated that they “most likely” knew and 34 percent reported that they “likely” knew that information. Respondents reported that they were less certain whether their organization experienced a material data breach or cyberattack due to insecure IoT applications. In total, 46 percent said they knew with certainty (4 percent), most likely knew (11 percent) or likely knew (31 percent) that their organization had sustained an attack that resulted from insecure IoT applications.

3. Mobile and IoT Applications Are Threats to Organizations’ Strong Security Postures

Seventy-nine percent of respondents said the use of mobile applications increases security risk significantly or very significantly, while 75 percent indicated that IoT applications had the same effect.

4. There’s a High Level of Concern for Insecure Mobile and IoT Applications

Seventy percent of respondents reported that they were very concerned about the use of insecure IoT applications. Similarly, 64 percent said they were very concerned about the use of insecure mobile applications in the workplace.

5. Organizations Are Not Confident That They Know All the Mobile and IoT Applications Being Utilized in the Workplace

Surprisingly, 63 percent of respondents are not confident (30 percent) or have no confidence (33 percent) in their organization’s ability to keep track of all the mobile applications their employees use. Even more concerning, 75 percent are not confident (38 percent) or have no confidence (37 percent) that they know all the IoT applications in the enterprise. However, respondents estimated that employees in their organizations actively use, on average, 472 mobile and 241 IoT applications.


6. Potential Incidents and New Regulations Drive Budgetary Growth in Application Security

Only 30 percent of respondents said their organization allocates sufficient budget to protect mobile applications and IoT devices. If the organization experienced a serious security incident, 54 percent of respondents indicated that they would most likely consider increasing their security budgets. Meanwhile, 46 percent of respondents said their organization would likely increase IT budgets to prepare for new regulations, and 25 percent reported that media coverage of a serious data breach would encourage their organizations to do the same.

7. Rush to Release Is the Primary Reason Why Mobile and IoT Applications Contain Vulnerable Code

Sixty-nine percent of respondents cited pressure on the development team as the primary reason why mobile applications contain vulnerable code, and 75 percent pointed to the same issue as a source of vulnerability for IoT applications. Accidental coding errors in mobile and IoT applications also result in vulnerable code, according to 65 percent of respondents. A lack of internal policies or rules that clarify security requirements can also negatively affect application security.

8. There Is a Lack of Urgency to Address Risks

Only 32 percent of respondents said their organization urgently wants to secure mobile applications and 42 percent said they feel similarly pressured to secure IoT applications. This lack of urgency may be due to a low application security budget, or an organizational failure to delegate data protection to a dedicated IT leader. Rather, application and data protection reside in lines of business, development or engineering.

9. Application Security Testing Is Performed on an Ad-Hoc Basis, If at All.

Organizations may recognize the risk, but, as mentioned above, many are slow to react. This lack of urgency is reflected in mobile and IoT application security practices: Thirty-five percent of respondents said their organization did not preschedule application security testing, while 26 percent indicated that their company failed to conduct testing at all. Nearly half (48 percent) reported that their organization did not test of IoT applications.

On average, only 29 percent of mobile applications and 20 percent of IoT applications are tested for vulnerabilities. An average of 30 percent of mobile apps and 38 percent of IoT apps tested contained significant vulnerabilities.

10. Application Security Testing Is Frequently Delayed Until Production

Fifty-eight percent of respondents said their organization typically waits until production to test IoT applications and 39 percent indicated that mobile applications were tested during production.

Learn More About Application Security Testing

To learn how your organization can combat the mobile and IoT risks identified in our study, please watch the on-demand webinar. You can also download a complimentary copy of our comprehensive study results.

More from Application Security

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…