Today’s organizations are releasing mobile and Internet of Things (IoT) applications at a breathtaking pace. According to recent research, more than 4 million Android and iOS applications are currently in production, with thousands more being released every month.

IBM client Cisco, meanwhile, predicted that the estimated value of the global IoT market will reach $14.4 trillion by 2022 and that organizations will invest more than $2 trillion into IoT initiatives. This includes improving customer service, reducing time to market, streamlining supply chain and logistics projects, lowering overall costs and boosting employee productivity.

Key Findings From the Ponemon Application Security Testing Survey

If your organization has been slow to accept the risks associated with unsecured mobile and IoT applications, the results of our independently conducted “2017 State of Mobile & Internet of Things (IoT) Application Security Study,” sponsored by IBM and Arxan, suggest that now is the time to start.

Download the complete Ponemon Study now

Here are 10 key findings from our study, which included 593 responses from IT and application security practitioners.

1. Widespread Worry Over Mobile and IoT Application Security

Respondents are slightly more concerned about potentially getting hacked through IoT applications (58 percent) than mobile applications (53 percent), but both of the figures reflect high percentages. Despite their concern, however, few organizations are mobilized against these threats. Forty-four percent of respondents said they had taken no steps toward such a mobilization, and 11 percent were unsure whether their organizations were doing anything to prevent such attacks.

2. Material Data Breaches Result From Mobile and IoT Insecurity

While 11 percent of respondents reported that they knew with certainty that their organization had experienced a security incident as a result of insecure mobile applications, 15 percent indicated that they “most likely” knew and 34 percent reported that they “likely” knew that information. Respondents reported that they were less certain whether their organization experienced a material data breach or cyberattack due to insecure IoT applications. In total, 46 percent said they knew with certainty (4 percent), most likely knew (11 percent) or likely knew (31 percent) that their organization had sustained an attack that resulted from insecure IoT applications.

3. Mobile and IoT Applications Are Threats to Organizations’ Strong Security Postures

Seventy-nine percent of respondents said the use of mobile applications increases security risk significantly or very significantly, while 75 percent indicated that IoT applications had the same effect.

4. There’s a High Level of Concern for Insecure Mobile and IoT Applications

Seventy percent of respondents reported that they were very concerned about the use of insecure IoT applications. Similarly, 64 percent said they were very concerned about the use of insecure mobile applications in the workplace.

5. Organizations Are Not Confident That They Know All the Mobile and IoT Applications Being Utilized in the Workplace

Surprisingly, 63 percent of respondents are not confident (30 percent) or have no confidence (33 percent) in their organization’s ability to keep track of all the mobile applications their employees use. Even more concerning, 75 percent are not confident (38 percent) or have no confidence (37 percent) that they know all the IoT applications in the enterprise. However, respondents estimated that employees in their organizations actively use, on average, 472 mobile and 241 IoT applications.


6. Potential Incidents and New Regulations Drive Budgetary Growth in Application Security

Only 30 percent of respondents said their organization allocates sufficient budget to protect mobile applications and IoT devices. If the organization experienced a serious security incident, 54 percent of respondents indicated that they would most likely consider increasing their security budgets. Meanwhile, 46 percent of respondents said their organization would likely increase IT budgets to prepare for new regulations, and 25 percent reported that media coverage of a serious data breach would encourage their organizations to do the same.

7. Rush to Release Is the Primary Reason Why Mobile and IoT Applications Contain Vulnerable Code

Sixty-nine percent of respondents cited pressure on the development team as the primary reason why mobile applications contain vulnerable code, and 75 percent pointed to the same issue as a source of vulnerability for IoT applications. Accidental coding errors in mobile and IoT applications also result in vulnerable code, according to 65 percent of respondents. A lack of internal policies or rules that clarify security requirements can also negatively affect application security.

8. There Is a Lack of Urgency to Address Risks

Only 32 percent of respondents said their organization urgently wants to secure mobile applications and 42 percent said they feel similarly pressured to secure IoT applications. This lack of urgency may be due to a low application security budget, or an organizational failure to delegate data protection to a dedicated IT leader. Rather, application and data protection reside in lines of business, development or engineering.

9. Application Security Testing Is Performed on an Ad-Hoc Basis, If at All.

Organizations may recognize the risk, but, as mentioned above, many are slow to react. This lack of urgency is reflected in mobile and IoT application security practices: Thirty-five percent of respondents said their organization did not preschedule application security testing, while 26 percent indicated that their company failed to conduct testing at all. Nearly half (48 percent) reported that their organization did not test of IoT applications.

On average, only 29 percent of mobile applications and 20 percent of IoT applications are tested for vulnerabilities. An average of 30 percent of mobile apps and 38 percent of IoT apps tested contained significant vulnerabilities.

10. Application Security Testing Is Frequently Delayed Until Production

Fifty-eight percent of respondents said their organization typically waits until production to test IoT applications and 39 percent indicated that mobile applications were tested during production.

Learn More About Application Security Testing

To learn how your organization can combat the mobile and IoT risks identified in our study, please watch the on-demand webinar. You can also download a complimentary copy of our comprehensive study results.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…