IBM-Sponsored Ponemon Institute Study Reveals Alarming State of Mobile Security for Apps
In today’s race to build the latest and greatest mobile applications, developers and companies building the apps are increasingly zeroing in on what attracts users to them. Is it their usability? Their gamification? Is it their aesthetic design, or their ability to provide users with yet another social platform to chat with friends and like-minded hobbyists?
While all of these aspects are important, there is one feature that is being severely overlooked, although its power to attract and retain users is enormous: mobile security.
Data Breaches Growing in Size and Scope
Data breaches are increasingly becoming one of the largest topics of concern for today’s consumer. In 2014, more than 1 billion personal data records were compromised by cyberattacks. Although we’ve done a fantastic job securing the computers and servers that have traditionally housed our sensitive information, we are neglecting to devote the same attention to our mobile apps — and cybercriminals are waking up to this opportunity.
The Ponemon Institute recently teamed up with IBM to look into just how secure the apps many of its largest and most trusted organizations are building for their customers are. What they found was extremely unsettling.
Mobile Security Survey Findings
In the face of accelerating user demand, businesses are building mobile apps with speed-to-market and user experience in mind. What they are not doing, however, is validating that their apps are safe and secure enough for users to disclose the confidential information — such as billing details and personal information — the apps frequently require.
Among the more than 400 organizations studied — nearly 40 percent of which were Fortune 500 companies — almost 40 percent of them aren’t scanning the code in their apps for security vulnerabilities, leaving the door wide open to the potential hacking of sensitive user, corporate and customer data. The average organization tests fewer than half of the mobile apps it builds, and a whopping 33 percent of companies never test their apps.
While worrisome, this isn’t surprising, given the tremendous deficit in mobile security investments and attention. While each company spends an astounding average of $34 million annually on mobile app development, a full half of these companies do not devote any budget at all to mobile security. Take a minute to reflect on that finding. They devote less of their budget to security than you devote to purchasing a $0.99 emoticon package for your mobile phone.
Ongoing Pressure of ‘Rush to Release’
Yes, the pressure on mobile app development teams to rapidly build and deploy code is tremendous. For example, 65 percent of companies admit the security of their apps is often put at risk because of customer demand or need, and an overwhelming 77 percent cite rush-to-release pressures as a primary reason why mobile apps contain vulnerable code.
However, shouldn’t building safety into our apps be just as important as how pretty they are or how quickly we can get our hands on them? After all, retrofitting an app for security is similar to putting brakes on a car when it’s already cruising down the road; it just doesn’t work. And similar to the immense damage a safety recall has for automotive brands, a data breach resulting in confidential customer information being compromised can be a death knell for companies.
Our demand for new and better mobile apps — and the lack of attention being paid to their security — is unintentionally opening us up to cybersecurity hacks and data breaches and putting our sensitive and private information at risk.
As evidenced by a number of high-profile security breaches in recent months, cybercriminals are now turning to mobile as their attack vector of choice. Who could blame them? This lack of testing and budget, compounded with the pressure to rapidly deploy mobile apps, is further intensified by a dearth of security training and education.
Employee Education Must Accompany Technological Solutions
Today, the average developer has less than two years of experience. Seventy-three of the organizations studied cite a lack of understanding and training on secure coding practices, saying it’s a big reason why mobile apps contain vulnerable code. Despite the fact that all the organizations studied are currently building mobile apps, only 41 percent of them said their company had sufficient mobile security expertise.
There is no doubt that mobile apps will continue to evolve and become more ingrained into our daily lives. What cannot be overlooked, however, is the increasing security risks as cybercriminals become more sophisticated and aware of the numerous exploits opening up due to our lack of focus on mobile security. Technologies such as IBM MobileFirst Protect™ threat management and IBM Security AppScan Mobile Analyzer™ can help organizations combat the inherent risks around mobile security.
However, we should be building security into apps now, rather than reactively doing so after cybercriminals have had the time to fully exploit the vulnerabilities that exist today.
Research conducted by Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.