Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security Study"

908 views

Published on

Mobile and Internet of Things (IoT) applications continue to be released at a rapid pace. But organizations’ rush-to-release of new applications to meet rapidly-evolving user demand can jeopardize the applications’ level of security protection.

View these slides from our January 18th webinar, where Larry Ponemon from the Ponemon Institute, Arxan Technologies and IBM Security review findings from our brand-new mobile & IoT application security study.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ponemon Institute Reviews Key Findings from “2017 State of Mobile & IoT Application Security Study"

  1. 1. Sponsored by IBM and Arxan Technologies Dr. Larry Ponemon, Ponemon Institute Neil K. Jones, IBM Security Mandeep Khera, Arxan Technologies 2017 Study on Mobile and Internet of Things Application Security
  2. 2. Agenda  Overview of “2017 State of Mobile and IoT Application Security” study  Key findings  Risk of mobile and IoT applications  Are organizations mobilized to reduce security risk?  Current security practices in place  Survey methodology  Q&A session
  3. 3. Presenters Neil K. Jones, Application Security Market Segment Manager, IBM Security Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute Mandeep Khera, Chief Marketing Officer, Arxan Technologies
  4. 4. Purpose of the study The purpose of this research is to understand how companies are reducing the risk of mobile apps and Internet of Things (IoT) in the workplace. The risks created by mobile apps have been well researched and documented. This study reveals how companies are unprepared for risks created by vulnerabilities in IoT apps. January 18, 2017 Ponemon Institute Presentation Private and Confidential 3
  5. 5. Sample response Frequency Percentage Sampling frame 16,450 100.0% Total returns 651 4.0% Rejected or screened surveys 58 0.4% Final sample 593 3.6% January 18, 2017 Ponemon Institute Presentation Private and Confidential 4
  6. 6. A summary of key findings in this research • Many organizations are worried about an attack against mobile and IoT apps that are used in the workplace. • Organizations have no confidence or are not confident they know all mobile and IoT apps in the workplace. • The use of mobile and IoT apps are threats to a strong security posture. • Mobile and IoT risks exist because end-user convenience is considered more important than security. • The functions most responsible for mobile and IoT security reside outside the security function. • Hacking incidents and regulations drive growth in budgets. • Despite the risk, there is a lack of urgency to address mobile and IoT security threats. • Malware is believed to pose a greater threat to mobile than IoT apps. January 18, 2017 Ponemon Institute Presentation Private and Confidential 5
  7. 7. Page 6 The risk of mobile and IoT apps Ponemon Institute Presentation Private and Confidential
  8. 8. How difficult is it to secure mobile and IoT apps? 1 = easy to 10 = very difficult, 7+ responses reported January 18, 2017 Ponemon Institute Presentation Private and Confidential 7 84% 69% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Level of difficulty in securing IoT apps Level of difficulty in securing mobile apps
  9. 9. How concerned is your organization about getting hacked through a mobile or an IoT app? Very concerned and Concerned responses combined January 18, 2017 Ponemon Institute Presentation Private and Confidential 8 58% 53% 0% 10% 20% 30% 40% 50% 60% 70% Hacked through an IoT app Hacked through a mobile app
  10. 10. How concerned is your organization about the threat of malware to mobile and IoT apps? 1 = no concern to 10 = very concerned, 7+ responses reported January 18, 2017 Ponemon Institute Presentation Private and Confidential 9 84% 66% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Threat of malware to mobile apps Threat of malware to IoT apps
  11. 11. How significantly does employees’ mobile and IoT apps use affect your organization’s security risk posture? Very significant and Significant increase responses are combined January 18, 2017 Ponemon Institute Presentation Private and Confidential 10 79% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Use of mobile apps Use of IoT apps
  12. 12. How confident are you that your organization knows all of the mobile and IoT apps in the workplace? Not confident or No confidence responses are combined January 18, 2017 Ponemon Institute Presentation Private and Confidential 11 75% 63% 0% 10% 20% 30% 40% 50% 60% 70% 80% Knowledge of all the IoT apps used by employees in the workplace Knowledge of all the mobile applications used by employees in the workplace
  13. 13. How important is end-user convenience when building and/or deploying mobile and IoT apps? 1 = not important to 10 = very important, 7+ responses reported January 18, 2017 Ponemon Institute Presentation Private and Confidential 12 68% 62% 0% 10% 20% 30% 40% 50% 60% 70% 80% End-user convenience when building and/or deploying IoT apps in the workplace End-user convenience when building and/or deploying mobile apps in the workplace
  14. 14. Who is primarily responsible for the security of mobile and IoT apps? January 18, 2017 Ponemon Institute Presentation Private and Confidential 13 11% 2% 16% 31% 5% 21% 14% 11% 3% 8% 11% 15% 20% 32% 0% 5% 10% 15% 20% 25% 30% 35% No one person is responsible Head, quality assurance User of mobile apps Head, application development CISO/CSO Lines of business (LOB) CIO/CTO Responsible for the security of mobile apps Responsible for the security of IoT apps
  15. 15. Would any of the following factors influence your organization to increase the budget? Two responses permitted January 18, 2017 Ponemon Institute Presentation Private and Confidential 14 15% 10% 12% 15% 23% 25% 46% 54% 0% 10% 20% 30% 40% 50% 60% None of the above Concern over potential loss of customers due to a security incident Government incentives such as tax credits Concern over potential loss of revenues due to a security incident Concern over relationship with business partners and other third parties Media coverage of a serious hacking incident affecting another company New regulations A serious hacking incident affecting your organization
  16. 16. Page 15 Are organizations mobilized to reduce the risk? Ponemon Institute Presentation Private and Confidential
  17. 17. How concerned are you about the use of insecure mobile and IoT apps in the workplace? 1 = not concerned to 10 = very concerned, 7+ responses reported January 18, 2017 Ponemon Institute Presentation Private and Confidential 16 70% 64% 0% 10% 20% 30% 40% 50% 60% 70% 80% Insecure IoT apps Insecure mobile applications
  18. 18. Please rate your organization’s urgency in securing mobile and IoT apps. 1 = low urgency to 10 = high urgency, 7+ responses reported January 18, 2017 Ponemon Institute Presentation Private and Confidential 17 42% 32% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Urgency in securing IoT apps Urgency in securing mobile apps
  19. 19. Has your organization experienced a data breach or cyber attack because of an insecure mobile or IoT app? January 18, 2017 Ponemon Institute Presentation Private and Confidential 18 11% 15% 34% 40% 4% 11% 31% 54% 0% 10% 20% 30% 40% 50% 60% Yes, known with certainty Yes, most likely Yes, likely No, not likely Data breach or cyber attack caused by an insecure mobile app Data breach or cyber attack caused by an insecure IoT app
  20. 20. Page 19 Current security practices in place Ponemon Institute Presentation Private and Confidential
  21. 21. How often does your organization test mobile and IoT apps? January 18, 2017 Ponemon Institute Presentation Private and Confidential 20 48% 26% 14% 7% 5% 0% 26% 35% 18% 8% 10% 3% 0% 10% 20% 30% 40% 50% 60% We do not test Testing is not pre-scheduled Every time the code changes Unsure Annually Monthly Mobile apps IoT apps
  22. 22. Where are mobile and IoT apps tested? January 18, 2017 Ponemon Institute Presentation Private and Confidential 21 39% 32% 29% 58% 26% 16% 0% 10% 20% 30% 40% 50% 60% 70% Primarily in production Primarily in development Both in production and development Mobile apps IoT apps
  23. 23. Top five means of securing mobile and IoT apps More than one response permitted January 18, 2017 Ponemon Institute Presentation Private and Confidential 22 15% 26% 26% 30% 39% 30% 51% 53% 55% 57% 0% 10% 20% 30% 40% 50% 60% Security testing throughout the SDLC Dynamic application security testing Static application security testing Educate developers on safe coding Penetration testing Primary means of securing mobile apps Primary means of securing IoT apps
  24. 24. The most difficult OWASP mobile app security risks to mitigate Very difficult and Difficult responses combined January 18, 2017 Ponemon Institute Presentation Private and Confidential 23 35% 38% 41% 43% 47% 50% 60% 62% 65% 70% 0% 10% 20% 30% 40% 50% 60% 70% 80% Lack of Binary Protection Improper Session Handling Security Decisions Via Untrusted Inputs Insecure Data Storage Insufficient Transport Layer Protection Poor Authorization and Authentication Client Side Injection Weak Server Side Controls Unintended Data Leakage Broken Cryptography
  25. 25. The main reasons why mobile and IoT apps contain vulnerable code More than one response permitted January 18, 2017 Ponemon Institute Presentation Private and Confidential 24 4% 21% 33% 36% 40% 48% 51% 65% 69% 3% 18% 30% 36% 55% 44% 49% 65% 75% 0% 10% 20% 30% 40% 50% 60% 70% 80% Other Application development tools have inherent bugs Lack of understanding/training on secure coding practices Incorrect permissions Lack of quality assurance and testing procedures Malicious coding errors Lack of internal policies or rules that clarify security requirements Accidental coding errors Rush to release pressures on application development team Reason why IoT apps contain vulnerable code Reason why mobile apps contain vulnerable code
  26. 26. Page 25 Methods Ponemon Institute Presentation Private and Confidential
  27. 27. Current position level within the organization January 18, 2017 Ponemon Institute Presentation Private and Confidential 26 2% 3% 16% 22% 15% 40% 2% Senior Executive Vice President Director Manager Supervisor Technician/Staff Contractor
  28. 28. The primary person reported to within the organization January 18, 2017 Ponemon Institute Presentation Private and Confidential 27 54% 18% 9% 6% 4% 2% 2%2% 3% Chief Information Officer Chief Information Security Officer Chief Technology Officer Chief Risk Officer Chief Security Officer Chief Operating Officer Compliance Officer Data center management Other
  29. 29. Primary industry classification January 18, 2017 Ponemon Institute Presentation Private and Confidential 28 18% 11% 10% 10%9% 9% 8% 5% 5% 3% 3% 2%2%2% 3% Financial services Health & pharmaceuticals Public sector Services Industrial & manufacturing Retail Technology & software Consumer products Energy & utilities Entertainment & media Hospitality Communications Education & research Transportation Other
  30. 30. Worldwide headcount of the organization January 18, 2017 Ponemon Institute Presentation Private and Confidential 29 8% 13% 21% 25% 17% 9% 7% Less than 100 100 to 500 501 to 1,000 1,001 to 5,000 5,001 to 25,000 25,001 to 75,000 More than 75,000
  31. 31. Arxan and IBM End-to-End Mobile and IoT Security Solution Enterprise Applications and Cloud Services Identity, Fraud, and Data Protection Device Security Content Security Application Security Identity & Access Provision, manage and secure Corporate and BYOD devices Secure enterprise content sharing and segregate enterprise and personal data Develop secure, vulnerability free, hardened and risk aware applications Secure access and transactions for customers, partners and employees Security Intelligence A unified architecture for integrating mobile security information and event management (SIEM), log management, anomaly detection, and configuration and vulnerability management IBM QRadar Security Intelligence Platform IBM MobileFirst Protect (MaaS360) IBM Security AppScan, Arxan Application Protection, IBM Trusteer Mobile SDK IBM Security Access Manager for Mobile, IBM Trusteer Pinpoint Security Intelligence Content Security Application Security Identity & Access Device Security DATA Personal and Consumer Enterprise © Copyright IBM Corporation 2016. All rights reserved.
  32. 32. • Link to study: 2017 State of Mobile & IoT Application Security • Related blog: Is IoT Security a Ticking Time Bomb? • Learn more about the IBM Security & Arxan Technologies partnership 31 Resources to learn more
  33. 33. Page 32 Q&A Ponemon Institute Toll Free: 800.887.3118 Michigan HQ: 2308 US 31 N. Traverse City, MI 49686 USA research@ponemon.org Neil K. Jones nkjones@us.ibm.com Mandeep Khera mkhera@arxan.com Ponemon Institute Presentation Private and Confidential
  34. 34. Caveats There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web- based surveys. • Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. • Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are involved in the security of mobile and IoT application security in their organizations. We also acknowledge that the results may be biased by external events such as media coverage. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings. • Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. January 18, 2017 Ponemon Institute Presentation Private and Confidential 33

×