“Security is not baked into the technologies.”
I wish I had a dollar for every time a security expert said that or something similar to me as we lamented about how difficult good cybersecurity is to maintain. The problem, they have repeatedly told me, is that the Internet and most applications were never designed with security in mind. It’s a concern that we’re going to see a lot more of with the rise of the Internet of Things because we know many of these devices were never meant to be hooked up to anything more than an electrical outlet.
However, these same security experts also expressed hope that, as we see the kind of damage that can be done via malicious behaviors and attacks, developers would incorporate security into new technologies and software.
Unfortunately, that’s not happening, according to a new study from IBM Security and the Ponemon Institute, at least not when it comes to the development of mobile apps. A formal release about the study stated that the report:
Found that the average company tests less than half of the mobile apps they build. Also, 33 percent of companies never test their apps - creating a plethora of entry points to tap into business data via unsecured devices. While these numbers may seem shocking, they aren't surprising when considering that a full 50 percent of these organizations were found to devote zero budget whatsoever towards mobile security.
As an eWeek story pointed out, mobile apps are quickly becoming a hacker’s treasure trove:
Hackers are now taking advantage of the popularity of insecure mobile apps, public WiFi networks and more to break into the highly valuable data often housed on BYOD and corporate mobile devices. Further, they're also tapping mobile devices as an entry portal into an organization's broader, confidential internal network.
Corporations have the chance to really do something about the security of the apps they are developing and to show that they respect the personal data of their customers, clients and employees. But they aren’t. My first reaction is to ask if they have learned nothing from the recent spate of data breaches and the collateral damages done to companies. However, Target and the other breaches did not happen because of a security-flawed mobile app.
It’s bound to happen, though, as more commerce and business transactions take place on mobile devices, and I wouldn’t be surprised if a major security breach via a mobile app happens in the next six months. It would be a breach that could be prevented, though, if companies took app security more seriously or if security was integrated into the development and testing phases.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba