IBM sponsored study finds mobile app developers compromise user security

20 Mar 2015

IBM Security and the Ponemon Institute announced research unveiling an alarming state of mobile insecurity. The findings show nearly 40 per cent of large companies, including many in the Fortune 500, are not taking the right precautions to secure the mobile apps they build for customers.

The study also found organisations are poorly protecting their corporate and BYOD mobile devices against cyber-attacks – opening the door for hackers to easily access user, corporate and customer data. The number of mobile cyber-security attacks is continuing to grow.

At any given time, malicious code is infecting more than 11.6 million mobile devices. The Ponemon Institute and IBM Security study, which researched security practices in over 400 large organizations, found that the average company tests less than half of the mobile apps they build. Also, 33 per cent of companies never test their apps - creating a plethora of entry points to tap into business data via unsecured devices. While these numbers may seem shocking, they aren't surprising when considering that a full 50 per cent of these organizations were found to devote zero budget whatsoever towards mobile security.

''Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data,'' said Caleb Barlow, Vice President of Mobile Management and Security at IBM.

 ''Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks. To help companies adopt smart mobile strategies, we've tapped the deep security expertise of IBM Security Trusteer, bringing what we've learned from protecting the most sensitive data of complex organizations - such as top global banks - and applying it to mobile.''

Hackers are now taking advantage of the popularity of insecure mobile apps, public Wi-Fi networks, and more to break into the highly valuable data often housed on BYOD and corporate mobile devices. Further, they're also tapping mobile devices as an entry portal into an organization's broader, highly confidential internal network.

The Ponemon Institute unveils alarming state of mobile insecurity
The new study, conducted by the Ponemon Institute with IBM, has found major security flaws in the ways which most organisations build and deploy mobile apps for their customers. The organisations studied, of which 40 percent are Fortune 500 companies, operate in industries which work with highly sensitive data, including financial services, health and pharmaceutical, the public sector, entertainment and retail.

Among the organisations, each spent an average of $34 million annually on mobile app development. Of this tremendous budget, however, only 5.5 per cent is currently being allocated to ensuring that mobile apps are secure against cyber-attacks before they are made available to users. A full 50 per cent of companies devote no budget to security. 

Tending to prioritise speed-to-market and user experience, the study found that many of these organisations scan their mobile apps for security vulnerabilities infrequently and much too late – if at all – leaving entry points which hackers are increasingly exploiting. These holes allow cyber-thieves to gain access to confidential business and personal data through BYOD or corporate mobile devices. According to IBM X-Force research, in 2014 alone, over 1 billion pieces of personally identifiable information (PII) were compromised as a result of cyber-attacks.

During the creation of mobile apps, end user convenience is trumping end user security and privacy. According to the study, 65 per cent of organisations state the security of their apps is often put at risk because of customer demand or need, and 77 per cent cite ''rush to release'' pressures as a primary reason why mobile apps contain vulnerable code. 

Of the companies that actually do scan for vulnerabilities before deploying apps to the market, only 15 per cent of them test their apps as frequently as needed to be effective.

As BYOD rises, mobile risks increase
BYOD has become increasingly popular, if not a necessity, for organisations. The challenge arises when employees connect to unsecured networks or download insecure apps from untrusted sources, which leave the device vulnerable to malware. As uncovered by the Ponemon Institute's findings, even apps from trusted organizations and available in traditional app stores can carry enormous risks.

According to the Ponemon study, though most employees are ''heavy users of apps,'' over half (55 per cent) state their organisation does not have a policy which defines the acceptable use of mobile apps in the workplace, and a large majority – 67 per cent – of companies allow employees to download non-vetted apps to their work devices. Additionally, 55 per cent of organisations say employees are permitted to use and download business apps on their personal devices (BYOD).

IBM MobileFirst Protect adds mnobile threat management
To defend against cyber-criminals taking advantage of this immense opportunity, IBM has introduced a new mobile threat management (MTM) technology into its IBM MobileFirst Protect offering (formerly MaaS360).

Using advanced cyber-threat and intelligence technology, IBM MobileFirst Protect Threat Management automatically detects suspicious activities on mobile endpoints, and stops malware the moment a device is breached. Delivered through the cloud and updated over-the-air, this technology enables organisations to be well-armed at all times against rapidly evolving and sophisticated threats and attacks.

IBM MobileFirst Protect Threat Management now provides automatic and highly intuitive protection against would-be hackers, who are increasingly targeting corporate and personal mobile devices (BYOD) used for work.

Built by IBM Security, the offering's new threat management technology integrates the flexible power of cloud, the comprehensive control of enterprise mobility management, and the most sophisticated defense tools yet created against malware and mobile fraud.