Do you think your user's mobile devices pose little or no security threat? If so, you're like most IT executives and most ordinary users as well. In a recent survey commissioned by the application protection company Arxan Technologies, 83 percent of average users and a surprising 87 percent of IT executives agreed with the statement, "I feel my mobile applications are adequately secure." When Arxan examined the most popular mobile apps, 90 percent had security vulnerabilities. To get some perspective on these findings — and find out what we should all do about them — the Enterprisers Project interviewed Sam Rehman, CTO of Arxan.
The Enterprisers Project (TEP): Your research revealed some frightening numbers about what users believe about device security compared to reality. Why do you think users have such a false idea of the security of their mobile devices?
Rehman: Users are typically not expected to understand all of the risks associated with using applications on their devices. There are also many false assumptions that security can be assured if they download apps from well-known app stores. In essence, users feel that there are adequate security controls in place to help ensure apps can be trusted. I feel the reality is quite different. There are an incredible number of apps on app stores, as well as highly recommended apps by major commercial institutions and government organizations that are highly vulnerable to things like data compromise and other significant risks.
TEP: There is, of course, a difference between vulnerability and an actual hack or intrusion. How often do these vulnerabilities get exploited?
Rehman: According to several sources, between 54 and 84 percent of cyberattacks are occurring at the application layer. This data means that there are actual attempts to exploit these vulnerabilities. These types of attacks are only expected to increase due to the continued dramatic rise in mobile and IoT, and applications represent the soft, vulnerable underbelly for organizations. Devices have been shown time and time again to be vulnerable, from hospital infusion pumps to remotely-accessed automobile controls. The good news is that no catastrophic incidents have been prevalently reported. However, we are at a tipping point where there have been numerous wake-up calls for organizations to adapt their security strategies to be better prepared for the new wave of risks and threats that are in front of them.
TEP: What are some telltale signs that your device has been breached?
Rehman: One of the greatest challenges is knowing if a device has been compromised and violated. In many cases, there are very few indicators to point to. In many situations, devices may run slowly, may not function as intended, and may simply shut down. These indicators can mirror faulty devices rather than indicate a breach, which makes identifying a breach tough.
TEP: What sorts of policies and guidelines should IT leaders put in place to avoid having sensitive data breached via mobile devices?
Rehman: There are many policies and security best practices that IT leaders should put in place. Policies should include data protection practices such as using strong passwords, auto-locking devices after periods of inactivity, requiring regular backups, and other such practices. Other policies should designate which classes of employees can use their personal devices to access the network, among other BYOD (bring your device) policies.
TEP: One survey result I found fascinating is that almost half of both application executives and users expected their apps to be hacked within six months. Why do you think people have such a pessimistic view of future app security (although they mostly seem confident in their current security)?
Rehman: One perspective on this is that users and executives see the regular rise in security breaches. Also, technology is advancing at a faster rate than security's ability to keep up with it. The dramatic increase in interconnectivity of applications is fueling even greater uncertainty in security assurance. Moreover, breaches regularly appear in today's media headlines. While there are some organizations that are implementing smart, robust application security measures such as application self-protection security controls, many still are not.
TEP: What are the biggest mistakes CIOs make in this area? What advice do you have for them about mobile security and user behavior?
Rehman: Interestingly, many CIOs tend to view applications as a relatively small component of their overall portfolio, tending to lean on their underlings to manage them. However, the criticality of securing applications — whether mobile, embedded (IoT), desktop, or other apps — should be a more prominent consideration for CIOs.
In fact, according to an IBM/Ponemon study last year, 50 percent of organizations surveyed had zero dollars allocated for mobile application security. The amount of security investment was very heavily weighted towards network security. While this is undoubtedly important, it is essential for CIOs to balance their risk/investment equation and pay more attention to weak links like applications, which are being much more heavily targeted.