Last week, the Ponemon Institute unveiled a new study commissioned by IBM that examines how more than 400 large organizations, including those we tend to inherently trust – Fortune 500 companies in the banking, retail, health and public sectors – develop mobile apps, and how secure they are before they reach the hands of consumers.
The findings were troubling. 40 percent of companies do not scan their apps for cybersecurity vulnerabilities before making them available, creating huge windows of opportunity for data breaches. The average company tests less than half of the mobile apps they build, and 33 percent never test their apps.
Even more shocking is that 50 percent of companies dedicate zero budget towards securing the mobile apps they build for customers, who often – and without hesitation — upload some of their most confidential billing, personal, and business data.
And companies are leaving their own data just as exposed. Despite the huge security risk posed by employees using these vulnerable apps on work devices, businesses are not protecting themselves from a mobile-rooted data breach. The Ponemon study found that a tremendous number of large organizations — 67 percent — allow their employees to download unverified, personal apps on their work devices, the same phones and tablets that can also access highly confidential customer records and business data.
This lack of security and control opens up a playground to hackers who can take advantage of rooted and jailbroken devices. They can then easily steal sensitive files and documents, personal data, or even hijack a device’s camera or microphone to spy on business meetings.
A number of vendors, such as Citrix, Arxan, Appthority, and my own company, IBM, are bringing solutions to market to instantly detect and destroy malware threats on mobile devices. But the question remains, what will it take for companies to begin investing in mobile security?
At any given time last year, mobile malware was infecting more than 11.6 million mobile devices. And the costs of data breaches through employee devices — including loss of highly confidential customer information (and their loyalty), brand reputation, and incredibly sensitive business documents is estimated at more than $11 million, not even factoring in the number of current and future customers lost when a brand becomes associated with compromised security.
In 2014, the Ponemon Institute’s Cost of a Data Breach Survey showed that data breaches can cost companies more than $5 million in total. These costs have motivated companies to start heavily investing in the security of their computers, servers, and traditional IT, but, as this year’s study shows, not mobile apps. Perhaps this is because we haven’t seen a huge number of breaches through the mobile avenue yet. However, with so many devices, and so much data, the opportunity for hackers to access business data via mobile devices is like shooting fish in a barrel. And as these attacks start becoming a huge issue, resulting in large financial and brand reputation losses, companies will be forced to take action.
Subbu Sthanu is Director of Mobile Security and Application Security at IBM. Prior to working at IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave, and BeyondTrust, heading up product management, marketing, corporate development, and business operations functions for data, network, web, email, people, and cloud & managed security solutions.