Study: Mobile app security risk well-known, but enterprises lack proper usage policy
Although most IT professionals believe mobile apps in the workplace have increased security risks, less than half of organizations have a policy in place to define acceptable mobile app use.
Although 82 percent of IT professionals believe mobile apps in the workplace have “very significantly” or “significantly” increased security risks, less than half of organizations have a policy in place to define acceptable mobile app use.
A Ponemon Institute survey of more than 19,000 IT professionals in the U.S. indicates that while the inherent risk in mobile apps is well-known in the security community, many enterprises are not following up or dedicating the resources to combating the threat. On average, $34 million is spent on mobile app development, but only $2 million of that budget is allotted to security, according to “The State of Mobile Application Insecurity,” sponsored by IBM.
“It's just an indicator that we [the security community] have a problem, [or] a risk issue that isn't necessarily being met, at least not with respect to training and awareness,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in an interview with SCMagazine.com.
Moreover, less than half of organizations test their mobile apps, but those who did found that 30 percent contained vulnerabilities. This, Ponemon said, makes testing all the more essential.
“The secure coding issue is a big problem because we build apps that rely on other apps that were built earlier on, instead of building apps from scratch,” he said. “Some of the bad stuff might lie in the old stuff. Testing will help you identify and prevent the really bad stuff that seems to be happening right now.”
Most respondent, 77 percent, blamed a “rush to release” for why vulnerabilities existed in mobile applications. Seventy-three percent said a lack of understanding and training on secure coding practices could be the reason.
Ponemon stressed that most breaches are occurring at the app layer of security, not the network level. This study demonstrates a need to slow down and be more thoughtful with app development, he said.
“Train developers so they understand what secure coding really means, so they understand their ethical responsibilities to create codes that are safe.” he said. “Create awareness because this could be a big problem.”