That was the major conclusion from an IBM/Ponemon study released last week which found large companies, including many in the Fortune 500 aren’t properly securing mobile apps they build for customers nor their corporate and BYOD mobile devices. (Read the entire study.)
The study which researched security practices in over 400 large organisations found:
- 40 percent of large companies aren’t scanning the apps that they build for customers for vulnerabilities, creating enormous windows of opportunities for cyber criminals.
- The average company today tests less than half of the apps they build for security flaws.
- 33 percent of organisations never test their mobile apps before putting them on the market.
- During the creation of mobile apps, end user convenience is trumping end user security and privacy. According to the study, 65 percent of organisations state the security of their apps is often put at risk because of customer demand or need, and 77 percent cite ‘rush to release’ pressures as a primary reason why mobile apps contain vulnerable code.
- Of the companies that actually do scan for vulnerabilities before deploying apps to the market, only 15 percent of them test their apps as frequently as needed to be effective.
- Among the organisations, each spent an average of US$34 million annually on mobile app development. Of this tremendous budget, however, only 5.5 percent is currently being allocated to ensuring that mobile apps are secure against cyber-attacks before they are made available to users.
- A full 50 percent of companies devote no budget to security.
- There is a dearth of trained and expert security professionals. Only 41 percent of respondents say their organisation has sufficient mobile application security expertise.
- Organisations lack policies that provide guidance on employees’ use of mobile apps. The findings reveal most employees’ are ‘heavy users of apps’, but 55 percent of respondents say their organisation does not have a policy that defines the acceptable use of mobile apps in the workplace.
“Building security into mobile apps is not top of mind for companies, giving hackers the opportunity to easily reverse engineer apps, jailbreak mobile devices and tap into confidential data,” said Caleb Barlow, vice president of Mobile Management and Security at IBM in a statement. “Industries need to think about security at the same level on which highly efficient, collaborative cyber criminals are planning attacks.”
At any given time, malicious code is infecting more than 11.6 million mobile devices opening up a large new world of data for cyber thieves to raid. According to IBM X-Force research, in 2014 alone, over one billion pieces of personally identifiable information were compromised as a result of cyber-attacks. The also study noted that the upward trend in mobile cyber thievery is compounded by the blurry line between professional and personal mobile use.
“A significant majority of organisations – 67 percent allow their employees to download non-vetted apps on their work devices. By rooting a BYOD or corporate device through the many security flaws which exist in unsecured apps, hackers can easily access sensitive files and documents, personal data, or hijack a device’s camera or microphone to spy on business meetings,” the study found.