The Internet of Things (IoT) is exploding into the mainstream, even as the broader role of mobile applications in the enterprise expands. But concerns about mobile and IoT security are emerging even more rapidly.

The challenge, in a nutshell, is that there are currently no clear lines of responsibility when it comes to IoT and mobile security. Applications are developed and pushed out into the marketplace by their vendors with little or no attention given to security. These apps then pour into organizations that often fail to manage them, and indeed are largely unsure of what apps are being used in their workplaces.

In short, the problems with mobile and IoT security are likely to get worse before they get better.

Who’s in Charge?

A recent study by the Ponemon Institute, IBM Security and Arxan revealed the scope of the challenge and the related difficulties that enterprises are experiencing. According to Infosec Island, “confusion of who owns security within the development, testing and implementation process remains in question.”

A majority of organizations (53 percent) reported concern about being breached via mobile devices, while a slightly larger majority (58 percent) said they worry about being compromised through IoT apps. Meanwhile, 44 percent of organizations admitted they are taking no protective measures, and 11 percent reported uncertainty about whether they are doing so. Doubt, in this case, is not a confidence builder.

This uncertainty, especially on the mobile side, extends to how many apps are in use within the organization. A full 75 percent of respondents indicated that they are not confident in their awareness of the apps their employees are using. Of these, half, or 37 percent of the total, reported “no confidence” on this subject. Other survey results reinforced a picture of uncertainty and passivity.

Rush to Market Leaves Security in the Dust

If there is little consensus about how to handle these challenges, there is considerable consensus about their causes. More than two-thirds of respondents (69 percent) said that mobile apps are shipped with poor security because development teams are pressured to get them out the door. Three-quarters cited this as the cause of vulnerable IoT applications as well.

Further complicating the security picture is uncertainty about who owns — or should own — IoT and mobile security. Only 5 percent of respondents said they regard the CISO has having primary responsibility for IoT security. Instead, the majority of respondents pointed to either the head of engineering or to lines of business.

Prioritizing IoT Security

The two challenges that stand out are the fragmentation of the mobile and IoT marketplaces, and the pressures that lead app developers to regard security as an afterthought. As a basic principle of good design, security needs to be incorporated from the beginning of development, not bolted on afterwards.

A large, fluid and competitive marketplace is very good at innovating technologies and bringing them to consumers. But IoT security and mobile security are being left by the wayside, producing risks that will only grow until the security community and the marketplace demand action.

Download the Ponemon Institute 2017 State of Mobile and IoT Application Security Study

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…