Here is the disconnect: 82 percent of IT pros think that BYOD in the workplace has “very significantly” or “significantly” increased IT security risks, less than half of organizations have a security policy in place to define acceptable use.
A Ponemon Institute survey of a whopping 19K U.S. IT pros shows that while the mobile apps risks are well-known, many enterprises are not following up or dedicating the resources to combating the threat. On average, $34 million is spent on mobile app development, but only $2 million of that budget is allotted to security, according to “The State of Mobile Application Insecurity,” sponsored by IBM.
“It's just an indicator that we [the security community] have a problem, [or] a risk issue that isn't necessarily being met, at least not with respect to training and awareness,” said Larry Ponemon, chairman and founder of the Ponemon Institute, in an interview with SCMagazine.com.
To add to the problem, less than half of organizations test their mobile apps, but those who did found that 30 percent contained vulnerabilities. This, Ponemon said, makes testing all the more essential.
“The secure coding issue is a big problem because we build apps that rely on other apps that were built earlier on, instead of building apps from scratch,” he said. “Some of the bad stuff might lie in the old stuff. Testing will help you identify and prevent the really bad stuff that seems to be happening right now.”
A majority of 77% blamed a “rush to release” for why vulnerabilities existed in mobile applications. 73% said a lack of understanding and training on secure coding practices could be the reason.
Ponemon stressed that most breaches are occurring at the app layer of security, not the network level. This study demonstrates a need to slow down and be more thoughtful with app development, he said.
“Train developers so they understand what secure coding really means, so they understand their ethical responsibilities to create codes that are safe.” he said. “Create awareness because this could be a big problem.”
Security awareness training is not only for end-users. Developers would also benefit from stepping through effective mobile security training to make them aware of the risks out there. Find out how affordable this is for your organization today.
Don't like to click on redirected buttons? Copy and paste this link into your browser: