While mobile is everywhere -- and regarded by most enterprises as a key computing mode for enabling access by employees, partners and customers -- security appears to be almost non-existent. In a new survey of 400 large enterprises, a full 50 percent were found to devote zero budget whatsoever -- nada -- towards mobile security.
These are large companies we're talking about. Put that in the context that today's enterprises spend millions of dollars on security, locking down everything from databases to desktops. However, scant attention is being paid to today's client of choice: mobile apps.
These findings come from new research released by IBM and the Ponemon Institute, which looked at the two sides of mobile security -- the apps that enterprise teams produce for customers, employees and clients. Looking at internal app development, the study concludes that mobile security is virtually non-existent, even in the largest corporations. In fact, the findings show nearly 40 percent of large companies, including many in the Fortune 500, aren't taking the right precautions to secure the mobile apps they build for customers.
The report puts it in perspective:
"Today's large companies each spend an average of $34 million annually to develop mobile apps we use to shop, bank and more. However, only an average of 5.5 percent of this immense budget is spent on securing these apps against hackers and security breaches."
Why the oversight? There's tremendous pressure to get apps and other software out as quickly as possible. During the creation of mobile apps, end user convenience is trumping end-user security and privacy. According to the study, 65 percent of organizations state the security of their apps is often put at risk because of customer demand or need, and 77 percent cite "rush to release" pressures as a primary reason why mobile apps contain vulnerable code.
The study, based on the security practices in more than 400 large organizations, found that the average company tests less than half of the mobile apps they build. Also, 33 percent of companies never test their apps -- potentially creating a plethora of entry points to tap into business data via unsecured devices.
Enterprises tend to prioritize speed-to-market and user experience, and the study found that many of these organizations scan their mobile apps for security vulnerabilities infrequently and much too late - if at all -leaving entry points which hackers are increasingly exploiting. These holes allow cyber-thieves to gain access to confidential business and personal data through BYOD or corporate mobile devices.
Of the companies that actually do scan for vulnerabilities before deploying apps to the market, only 15 percent of them test their apps as frequently as needed to be effective.
On the other side of the mobile security coin, there are the apps from outside parties that employees download to help them with their jobs. "The challenge arises when employees connect to unsecured networks or download insecure apps from untrusted sources, which leave the device vulnerable to malware," the IBM-Ponemon study suggests.
The study also found organizations are poorly protecting their corporate and BYOD mobile devices against cyber-attacks - opening the door for hackers to easily access user, corporate and customer data.The number of mobile cyber-security attacks is continuing to grow. At any given time, malicious code is infecting more than 11.6 million mobile devices, the study's authors estimate.
As an example, consider the ubiquitous and seemingly innocent dating app, the report's authors relate:
"IBM found that 48 percent of popular dating apps studied have access to a user's billing information saved on their device. Many consumers save billing information into their digital wallets to make in-app purchases simply and quickly.An attacker can potentially gain access to this information through the vulnerability in the dating app and steal the information to make unauthorized purchases elsewhere."
According to the IBM-Ponemon study, though most employees are "heavy users of apps," over half (55 percent) state their organization does not have a policy which defines the acceptable use of mobile apps in the workplace, and a large majority - 67 percent - of companies allow employees to download non-vetted apps to their work devices.