Have you noticed the new volume buttons on the iPad mini? Consumers have noticed – apparently more than the technology powering the popular device. This isn't very surprising as consumers love shiny new things. But where does that leave security? Usually way in the back of the mobile device user's mind, unless something goes wrong.
It can be quite challenging to get decision makers to invest in security. In order to be effective, security evangelists must balance risk and cost and speak the language of business. Mobile is no different.
Advances in mobile have led to many changes. Devices are pervasive, and apps are the new way to connect with customers. But the approaches taken by security teams fail to keep pace, as tools lag behind attacks and existing processes are applied without adaptation to mobile. As a result the state of mobile security today is far from ideal.
A unique opportunity exists right now for mobile security practitioners. Although the industry has experienced phenomenal growth, it is still in its infancy. If we can incorporate security directly into the life cycle of mobile app development, the state of mobile security worldwide can be dramatically improved. Here's where a security evangelist must make the business case for mobile security.
Let's take a look at the financial services industry, banks in particular, to understand an important trend emerging in business. Evidence suggests users of mobile banking apps interact at a higher frequency than traditional channels including online banking, ATMs, and in-person branches. This is a unique opportunity that allows banks to create high customer loyalty and even find ways to monetize new services.
According to a 2012 study by Javelin Strategy & Research, security is the top deterrent to mobile banking adoption by consumers. Solve the mobile security issue and your business will be more profitable. Of course, there are many ancillary benefits such as avoiding that front-page WSJ article, paying for customer credit monitoring and, in general, taking a large reputational and financial bath in the event of a security incident.
Education will always be the first step to securing mobile. Why? The technologies are new and constantly changing. Developers and security teams alike are tasked with new features, tight budgets and short time frames. However, mobile is completely new to them. Some basic education about how to securely develop and test mobile apps will go a long way.
Second, the tools used to test mobile security must be updated. Defending mobile apps takes specific experience and knowledge of the unique mobile attack surface to be effective. By looking at the “Anatomy of a Mobile Attack” illustration (above), you can clearly see how large the mobile attack surface is.
Companies that develop or utilize tools specifically created to address mobile security issues will quickly find out how effectively they can mitigate unique mobile security risks.
Finally, testing mobile apps for security issues should be deeply ingrained into development and release cycles. Too often companies perform a hurried security audit just prior to releasing the app or worse, after it's already in market. This makes it difficult and expensive to address security issues and increases the risk of a vulnerability in production.
However, if firms can security test mobile apps during the development cycle and integrate testing into their release cycles, they can realize a significant reduction in flaws. The development team can quickly test and resolve common issues, and the security teams can focus on a more thorough assessment prior to release.
The business case for mobile security is not only clear, it's quite simple. Firms can increase profits and customer loyalty with engaging, secure mobile apps. The security team has a unique opportunity to demonstrate their value to the bottom line. That's easy math everyone likes.