According to a study released by Ponemon Institute, 80 per cent of IoT apps are not tested for vulnerabilities, and there is a lack of urgency to address these vulnerabilities.
The study surveyed 593 IT and IT security practitioners who are involved in the security of mobile and IoT application security, and are familiar with their organisation’s security practices during the development of these applications and devices. Participating organisations include users of mobile apps and IoT devices, developers/manufacturers of mobile apps and IoT devices, as well as those that both use and develop mobile apps and IoT devices.
The study found the following trends:
- The risk of unsecured IoT apps is growing: 84 per cent of respondents say IoT apps are more difficult to secure than mobile apps, and 55 per cent of respondents say there is a lack of quality assurance and testing procedures for IoT apps.
- Organisations are doing little to arm themselves against attack: Despite saying they are concerned about being hacked through IoT and mobile apps, 44 per cent of respondents say they are taking no steps to protect themselves. In fact, 63 per cent of respondents are not sure that their organisation is aware of all of the mobile apps used in the workplace, and this statistic is even worse for IoT apps at 75 per cent.
- The wrong people are being left in charge of security: Only 15 per cent of respondents say the chief information security officer (CISO) is most responsible, and 11 per cent say application development is primarily responsible. The head of product engineering (31 per cent) and lines of business (21 per cent), are most commonly in charge of security.
- Organisations are waiting to be hacked to allocate money to security: Only 30 per cent of respondents say their organisation allocates sufficient budget to protect mobile apps and IoT devices. 54 per cent say their organisations would consider increasing their budget following a serious hacking incident. Other reasons to increase the budget include new regulations being issued (46 per cent) and exposure to media coverage of a serious hacking incident affecting another company (25 per cent).
- There is a lack of urgency to address security risks: Only 32 per cent of respondents say their organisation urgently wants to secure mobile apps, and 42 per cent say their organisation urgently wants to secure IoT apps. More focus is being given to lines of business, development and engineering.
- Most mobile and IoT apps are not tested for vulnerabilities: On average, only 29 per cent of mobile apps and 20 per cent of IoT apps are tested for vulnerabilities. On average, 30 per cent of mobile apps and 38 per cent of IoT apps tested contain significant vulnerabilities.
- Rush to release is the main reason for apps containing vulnerable code: 69 per cent of respondents cite pressure on the development team as the reason that mobile apps contain vulnerable code. For IoT devices, this statistic is 75 per cent. Coding errors in mobile and IoT apps are another reason for vulnerable code (65 per cent of respondents). Other issues include a lack of internal policies or rules that clarify security requirements.