Mobile and Internet of Things (IoT) applications continue to be released at a rapid pace. But organizations’ rush-to-release of new applications to meet rapidly-evolving user demand can jeopardize the applications’ level of security protection.
View these slides from our January 18th webinar, where Larry Ponemon from the Ponemon Institute, Arxan Technologies and IBM Security review findings from our brand-new mobile & IoT application security study.
Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security Study"
1. Sponsored by IBM and Arxan Technologies
Dr. Larry Ponemon, Ponemon Institute
Neil K. Jones, IBM Security
Mandeep Khera, Arxan Technologies
2017 Study on Mobile and Internet of
Things Application Security
2. Agenda
Overview of “2017 State of Mobile and IoT Application Security” study
Key findings
Risk of mobile and IoT applications
Are organizations mobilized to reduce security risk?
Current security practices in place
Survey methodology
Q&A session
3. Presenters
Neil K. Jones, Application Security Market Segment
Manager, IBM Security
Dr. Larry Ponemon, Chairman and Founder,
Ponemon Institute
Mandeep Khera, Chief Marketing Officer, Arxan
Technologies
4. Purpose of the study
The purpose of this research is to understand how
companies are reducing the risk of mobile apps and
Internet of Things (IoT) in the workplace. The risks created
by mobile apps have been well researched and
documented. This study reveals how companies are
unprepared for risks created by vulnerabilities in IoT apps.
January 18, 2017 Ponemon Institute Presentation Private and Confidential 3
5. Sample response Frequency Percentage
Sampling frame 16,450 100.0%
Total returns 651 4.0%
Rejected or screened surveys 58 0.4%
Final sample 593 3.6%
January 18, 2017 Ponemon Institute Presentation Private and Confidential 4
6. A summary of key findings in this research
• Many organizations are worried about an attack against mobile and
IoT apps that are used in the workplace.
• Organizations have no confidence or are not confident they know all
mobile and IoT apps in the workplace.
• The use of mobile and IoT apps are threats to a strong security
posture.
• Mobile and IoT risks exist because end-user convenience is
considered more important than security.
• The functions most responsible for mobile and IoT security reside
outside the security function.
• Hacking incidents and regulations drive growth in budgets.
• Despite the risk, there is a lack of urgency to address mobile and
IoT security threats.
• Malware is believed to pose a greater threat to mobile than IoT
apps.
January 18, 2017 Ponemon Institute Presentation Private and Confidential 5
7. Page 6
The risk of mobile and IoT apps
Ponemon Institute Presentation Private and Confidential
8. How difficult is it to secure mobile and
IoT apps?
1 = easy to 10 = very difficult, 7+ responses reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 7
84%
69%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Level of difficulty in securing IoT apps Level of difficulty in securing mobile apps
9. How concerned is your organization about
getting hacked through a mobile or an IoT
app?
Very concerned and Concerned responses combined
January 18, 2017
Ponemon Institute Presentation Private and
Confidential
8
58%
53%
0%
10%
20%
30%
40%
50%
60%
70%
Hacked through an IoT app Hacked through a mobile app
10. How concerned is your organization about
the threat of malware to mobile and IoT
apps?
1 = no concern to 10 = very concerned, 7+ responses
reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 9
84%
66%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Threat of malware to mobile apps Threat of malware to IoT apps
11. How significantly does employees’
mobile and IoT apps use affect your
organization’s security risk posture?
Very significant and Significant increase responses
are combined
January 18, 2017 Ponemon Institute Presentation Private and Confidential 10
79%
75%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Use of mobile apps Use of IoT apps
12. How confident are you that your
organization knows all of the mobile and
IoT apps in the workplace?
Not confident or No confidence responses are
combined
January 18, 2017 Ponemon Institute Presentation Private and Confidential 11
75%
63%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Knowledge of all the IoT apps used by employees in the
workplace
Knowledge of all the mobile applications used by
employees in the workplace
13. How important is end-user convenience
when building and/or deploying mobile
and IoT apps?
1 = not important to 10 = very important, 7+
responses reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 12
68%
62%
0%
10%
20%
30%
40%
50%
60%
70%
80%
End-user convenience when building and/or deploying
IoT apps in the workplace
End-user convenience when building and/or deploying
mobile apps in the workplace
14. Who is primarily responsible for the
security of mobile and IoT apps?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 13
11%
2%
16%
31%
5%
21%
14%
11%
3%
8%
11%
15%
20%
32%
0% 5% 10% 15% 20% 25% 30% 35%
No one person is responsible
Head, quality assurance
User of mobile apps
Head, application development
CISO/CSO
Lines of business (LOB)
CIO/CTO
Responsible for the security of mobile apps Responsible for the security of IoT apps
15. Would any of the following factors
influence your organization to increase
the budget?
Two responses permitted
January 18, 2017 Ponemon Institute Presentation Private and Confidential 14
15%
10%
12%
15%
23%
25%
46%
54%
0% 10% 20% 30% 40% 50% 60%
None of the above
Concern over potential loss of customers due to a
security incident
Government incentives such as tax credits
Concern over potential loss of revenues due to a
security incident
Concern over relationship with business partners and
other third parties
Media coverage of a serious hacking incident affecting
another company
New regulations
A serious hacking incident affecting your organization
16. Page 15
Are organizations mobilized to
reduce the risk?
Ponemon Institute Presentation Private and Confidential
17. How concerned are you about the use of
insecure mobile and IoT apps in the
workplace?
1 = not concerned to 10 = very concerned, 7+ responses
reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 16
70%
64%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Insecure IoT apps Insecure mobile applications
18. Please rate your organization’s urgency
in securing mobile and IoT apps.
1 = low urgency to 10 = high urgency, 7+ responses
reported
January 18, 2017 Ponemon Institute Presentation Private and Confidential 17
42%
32%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
Urgency in securing IoT apps Urgency in securing mobile apps
19. Has your organization experienced a
data breach or cyber attack because of
an insecure mobile or IoT app?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 18
11%
15%
34%
40%
4%
11%
31%
54%
0%
10%
20%
30%
40%
50%
60%
Yes, known with certainty Yes, most likely Yes, likely No, not likely
Data breach or cyber attack caused by an insecure mobile app
Data breach or cyber attack caused by an insecure IoT app
20. Page 19
Current security practices in place
Ponemon Institute Presentation Private and Confidential
21. How often does your organization test
mobile and IoT apps?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 20
48%
26%
14%
7%
5%
0%
26%
35%
18%
8%
10%
3%
0% 10% 20% 30% 40% 50% 60%
We do not test
Testing is not pre-scheduled
Every time the code changes
Unsure
Annually
Monthly
Mobile apps IoT apps
22. Where are mobile and IoT apps tested?
January 18, 2017 Ponemon Institute Presentation Private and Confidential 21
39%
32%
29%
58%
26%
16%
0%
10%
20%
30%
40%
50%
60%
70%
Primarily in production Primarily in development Both in production and development
Mobile apps IoT apps
23. Top five means of securing mobile and
IoT apps
More than one response permitted
January 18, 2017 Ponemon Institute Presentation Private and Confidential 22
15%
26%
26%
30%
39%
30%
51%
53%
55%
57%
0% 10% 20% 30% 40% 50% 60%
Security testing throughout the SDLC
Dynamic application security testing
Static application security testing
Educate developers on safe coding
Penetration testing
Primary means of securing mobile apps Primary means of securing IoT apps
24. The most difficult OWASP mobile app
security risks to mitigate
Very difficult and Difficult responses combined
January 18, 2017 Ponemon Institute Presentation Private and Confidential 23
35%
38%
41%
43%
47%
50%
60%
62%
65%
70%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Lack of Binary Protection
Improper Session Handling
Security Decisions Via Untrusted Inputs
Insecure Data Storage
Insufficient Transport Layer Protection
Poor Authorization and Authentication
Client Side Injection
Weak Server Side Controls
Unintended Data Leakage
Broken Cryptography
25. The main reasons why mobile and IoT
apps contain vulnerable code
More than one response permitted
January 18, 2017 Ponemon Institute Presentation Private and Confidential 24
4%
21%
33%
36%
40%
48%
51%
65%
69%
3%
18%
30%
36%
55%
44%
49%
65%
75%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Other
Application development tools have inherent bugs
Lack of understanding/training on secure coding
practices
Incorrect permissions
Lack of quality assurance and testing procedures
Malicious coding errors
Lack of internal policies or rules that clarify security
requirements
Accidental coding errors
Rush to release pressures on application development
team
Reason why IoT apps contain vulnerable code Reason why mobile apps contain vulnerable code
27. Current position level within the
organization
January 18, 2017 Ponemon Institute Presentation Private and Confidential 26
2% 3%
16%
22%
15%
40%
2%
Senior Executive
Vice President
Director
Manager
Supervisor
Technician/Staff
Contractor
28. The primary person reported to within
the organization
January 18, 2017 Ponemon Institute Presentation Private and Confidential 27
54%
18%
9%
6%
4%
2%
2%2% 3%
Chief Information Officer
Chief Information Security Officer
Chief Technology Officer
Chief Risk Officer
Chief Security Officer
Chief Operating Officer
Compliance Officer
Data center management
Other
29. Primary industry classification
January 18, 2017 Ponemon Institute Presentation Private and Confidential 28
18%
11%
10%
10%9%
9%
8%
5%
5%
3%
3%
2%2%2% 3%
Financial services
Health & pharmaceuticals
Public sector
Services
Industrial & manufacturing
Retail
Technology & software
Consumer products
Energy & utilities
Entertainment & media
Hospitality
Communications
Education & research
Transportation
Other
30. Worldwide headcount of the organization
January 18, 2017 Ponemon Institute Presentation Private and Confidential 29
8%
13%
21%
25%
17%
9%
7%
Less than 100
100 to 500
501 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
32. • Link to study: 2017 State of Mobile & IoT Application Security
• Related blog: Is IoT Security a Ticking Time Bomb?
• Learn more about the IBM Security & Arxan Technologies partnership
31
Resources to learn more
33. Page 32
Q&A
Ponemon Institute
Toll Free: 800.887.3118
Michigan HQ: 2308 US 31 N.
Traverse City, MI 49686 USA
research@ponemon.org
Neil K. Jones
nkjones@us.ibm.com
Mandeep Khera
mkhera@arxan.com
Ponemon Institute Presentation Private and Confidential
34. Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most web-
based surveys.
• Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable returned
responses. Despite non-response tests, it is always possible that individuals who did not
participate are substantially different in terms of underlying beliefs from those who completed the
instrument.
• Sampling-frame bias: The accuracy is based on contact information and the degree to which the
list is representative of individuals who are involved in the security of mobile and IoT application
security in their organizations. We also acknowledge that the results may be biased by external
events such as media coverage. We also acknowledge that the results may be biased by external
events such as media coverage. Finally, because we used a Web-based collection method, it is
possible that non-Web responses by mailed survey or telephone call would result in a different
pattern of findings.
• Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into
the survey process, there is always the possibility that a subject did not provide a truthful
response.
January 18, 2017 Ponemon Institute Presentation Private and Confidential 33