The staggering rate of adoption of IoT devices is enabling uncountable innovations in the way businesses and individuals can achieve our goals. The pace of adoption also eliminates the traditional, well thought out and paced, roll outs within the Enterprise. If you stop to do traditional vetting, testing and documentation, either the opportunity to gain a competitive advantage is missed, or the need and/or technology solution moves in a leap frog fashion onto the next solution set. This dynamic forces the hand of Enterprise management to accept the security risks inherent in fast tracking the implementation of the next hot technology. The shortage of highly skilled Security Engineers to deal with the security gaps, as they become apparent after or during implantation, compounds the security issues. It is critical that organizations engage with one or more trusted security provider organizations, that can be relied on to assist during project rollouts and provide ongoing 7x24x365 SOC monitoring.
Kevin Lynch, CNI
80% of IoT apps not tested for vulnerabilities, report says
A new report from the Ponemon Institute, IBM, and Arxan claims that just 20% of IoT apps and 29% of mobile apps are actually tested for vulnerabilities, raising security concerns.
By Conner Forrest | January 18, 2017, 6:28 AM PST
A staggering 80% of Internet of Things (IoT) applications and 71% of mobile applications are not tested for vulnerabilities, according to a new report released Wednesday. The report, issued by the Ponemon Institute, surveyed 16,450 IT and IT security professionals who worked in mobile and IoT app security at their organization.
One element that could contribute to the poor testing numbers is the lack of QA and testing methods for IoT, which 55% of respondents said was the case. Overall, 84% said that IoT apps, in general, were more difficult to secure than mobile apps, while 69% said mobile apps were more difficult.
Organizations surveyed said they were concerned about attacks occurring through each of these channels. Of the respondents, 58% were more concerned about a breach occurring through an IoT app, while 53% were more concerned about it happening through a mobile app.
Despite the worry, these organizations aren’t doing much to mitigate the risk. According to the report, 44% said they aren’t taking any steps to prevent an attack, and 11% said they aren’t sure if their organization is taking any preventative measures.
Many of these respondents had actually experienced a breach through one of these vectors in the past. About 60% of those surveyed were certain that their organization dealt with a security issue as a result of a mobile app, and 46% were sure of the same occurrence with an IoT app. And, despite the past problems and acknowledged risks, only 32% said they urgently want to secure mobile apps, and 42% said they want to urgently secure apps for IoT, according to the report.
“Factors revealed in this study may help to explain the lack of urgency,” said Larry Ponemon, founder of the Ponemon Institute, in a press release. “Respondents voiced minimal budget allocation, and those responsible for stopping attacks are not in the security function, but rather other lines of business. Without proper budget or oversight, these threats aren’t being taken seriously and it should come as no surprise for mobile and IoT applications to be the culprit of major data breaches to come.”
Additionally, roughly 30% of respondents said that there is sufficient budget allocated to protect these kinds of apps. But, if they were to be the victim of a serious attack, that may cause them to consider increasing the budget.
“Mobile and IoT applications continue to be released at a rapid pace to meet user demand. If security isn’t designed into these apps there could be significant negative impacts,” Diana Kelley, global executive security advisor at IBM Security, said in a press release.
It should be noted that, while this report was issued by Ponemon, it was sponsored by IBM Security and Arxan, a company that provides mobile and IoT security solutions.
The 3 big takeaways for readers
- Only 20% of IoT apps and 29% of mobile apps are tested for vulnerabilities, according to a new report from the Ponemon Institute.
- Even though many organizations acknowledge the risk of an attack, or have been victims of a breach, many aren’t taking any steps to further secure these attack vectors.
- There isn’t proper budget or oversight given to these threats, which could explain the lack of urgency, the report found.