2017 Study On Mobile And Internet Of Things Application Security

Organizations have no confidence or are not confident they know all of the mobile and IoT apps in the workplace. As shown in Figure 5, 63 percent of respondents are not confident (30 percent) or have no confidence (33 percent) their organizations know all of the mobile applications used by employees. An even larger percentage of respondents (75 percent) are not confident (38 percent) or have no confidence (37 percent) that they know all of the IoT apps in the workplace. However, respondents estimate that the average number of mobile apps in their organizations is 472 and the average number of IoT apps is 241. Figure 5. How confident are you that your organization knows all of the mobile and IoT apps in the workplace? Not confident or No confidence responses are combined 80% 75% 70% 63% 60% 50% 40% 30% 20% 10% 0% Knowledge of all the IoT apps used by employees in the workplace Ponemon Institute Research Report Knowledge of all the mobile applications used by employees in the workplace Page 7

Mobile and IoT risks exist because end-user convenience is considered more important than security. The security of apps often does not receive the priority it needs because of pressures to ensure mobile and IoT apps are easy to use. As shown in Figure 6, 62 percent of respondents rate end-user convenience when building and/or deploying mobile apps in the workplace as important and 68 percent of respondents rate end-user convenience when building and/or deploying IoT apps in the workplace as important considerations. Figure 6. How important is end-user convenience when building and/or deploying mobile and IoT apps? 1 not important to 10 very important, 7 responses reported 80% 70% 68% 62% 60% 50% 40% 30% 20% 10% 0% End-user convenience when building and/or deploying IoT apps in the workplace End-user convenience when building and/or deploying mobile apps in the workplace The organizational functions most responsible for mobile and IoT security reside outside the security function. As shown in Figure 7, only 15 percent of respondents say the CISO is most responsible and only 11 percent of respondents say application development is primarily responsible for security of mobile apps. In the case of IoT apps, only 5 percent of respondents say the CISO is primarily responsible. Instead, the head of product engineering and lines of business are most responsible (31 percent and 21 percent of respondents, respectively). Figure 7. Who is primarily responsible for the security of mobile and IoT apps? CIO/CTO 32% 14% 20% 21% Lines of business (LOB) CISO/CSO 15% 5% 11% Head, application development 8% User of mobile apps 31% 16% 3% 2% Head, quality assurance 11% 11% No one person is responsible 0% 5% 10% Responsible for the security of mobile apps Ponemon Institute Research Report 15% 20% 25% 30% 35% Responsible for the security of IoT apps Page 8

Not enough resources are being allocated. Only 30 percent of respondents say their organization allocates sufficient budget to protect mobile apps and IoT devices. As shown in Figure 8, if they had a serious hacking incident, their organizations would consider increasing the budget (54 percent of respondents). Other reasons to increase the budget are if new regulations were issued (46 percent of respondents) or if they were exposed to media coverage of a serious hacking incident affecting another company (25 percent of respondents). Figure 8. Would any of the following factors influence your organization to increase the budget? Two responses permitted A serious hacking incident affecting your organization 54% New regulations 46% Media coverage of a serious hacking incident affecting another company 25% Concern over relationship with business partners and other third parties 23% Concern over potential loss of revenues due to a security incident 15% 12% Government incentives such as tax credits Concern over potential loss of customers due to a security incident 10% None of the above 15% 0% Ponemon Institute Research Report 10% 20% 30% 40% 50% 60% Page 9

Are organizations mobilized to reduce the risk? The risk of mobile and IoT apps in the workplace is recognized. As shown in Figure 9, 70 percent of respondents are very concerned about the use of insecure IoT apps and 64 percent are very concerned about the use of insecure mobile applications in the workplace. Figure 9. How concerned are you about the use of insecure mobile and IoT apps in the workplace? 1 not concerned to 10 very concerned, 7 responses reported 80% 70% 70% 64% 60% 50% 40% 30% 20% 10% 0% Insecure IoT apps Insecure mobile applications Despite the risk, there is a lack urgency to address the threat. According to Figure 10, only 32 percent of respondents say their organization urgently wants to secure mobile apps and 42 percent of respondents say it is urgent to secure IoT apps. Factors revealed in this study that might explain the lack of urgency include the following: not enough budget being allocated to the security of these apps and the individuals most often responsible for stopping attacks are not in the security function. Rather, they reside in the lines of business, development or engineering. Figure 10. Please rate your organization’s urgency in securing mobile and IoT apps 1 low urgency to 10 high urgency, 7 responses reported 45% 42% 40% 32% 35% 30% 25% 20% 15% 10% 5% 0% Urgency in securing IoT apps Ponemon Institute Research Report Urgency in securing mobile apps Page 10

Material data breach or cyber attacks have occurred and are reasons for concern. According to Figure 11, respondents report they know with certainty (11 percent), or most likely (15 percent) or likely (34 percent) that their organization had a security incident because of an insecure mobile app. Respondents report they are less certain whether their organization had a material data breach or cyber attack due to an insecure IoT app. Forty-six percent of respondents say with certainty (4 percent), most likely (11 percent) or likely (31 percent). Figure 11. Has your organization experienced a data breach or cyber attack because of an insecure mobile or IoT app? 60% 54% 50% 40% 40% 34% 31% 30% 20% 10% 15% 11% 11% 4% 0% Yes, known with certainty Yes, most likely Yes, likely No, not likely Data breach or cyber attack caused by an insecure mobile app Data breach or cyber attack caused by an insecure IoT app Ponemon Institute Research Report Page 11

Current security practices in place Testing of mobile and IoT apps is ad hoc, if done at all. As discussed above, organizations may recognize the risk but a sense of urgency to mitigate the risk does not exist. This lack of urgency is reflected in mobile and IoT app security practices. As shown in Figure 12, 35 percent of respondents say mobile app testing is not pre-scheduled or does not occur at all (26 percent of respondents). Almost half (48 percent of respondents) say testing of IoT apps does not occur. On average only 29 percent of mobile apps and 20 percent of IoT apps are tested for vulnerabilities. An average of 30 percent of mobile apps tested contain vulnerabilities and an average of 38 percent of IoT apps tested contain significant vulnerabilities. Figure 12. How often does your organization test mobile and IoT apps? Monthly 0% Annually 3% 5% 10% 8% 7% Unsure Every time the code changes 14% 18% Testing is not pre-scheduled 26% We do not test 26% 0% 10% 20% Mobile apps 30% 35% 48% 40% 50% 60% IoT apps Testing of mobile and IoT apps often does not occur until production. According to Figure 13, 58 percent of respondents say their organization waits until IoT apps are tested in production and 39 percent of respondents say mobile apps are tested in production. Figure 13. Where are mobile and IoT apps tested? 70% 58% 60% 50% 40% 39% 32% 26% 30% 29% 16% 20% 10% 0% Primarily in production Primarily in development Mobile apps Ponemon Institute Research Report Both in production and development IoT apps Page 12

Pen testing is the primary means of securing mobile and IoT apps. The same approaches are used to secure mobile and IoT apps. As shown in Figure 14, 57 percent of respondents say the primary means of securing mobile apps is pen testing and 39 percent of respondents say pen testing is used to secure IoT apps. Fifty-five percent of respondents say their organization educates developers on safe coding for mobile apps and only 30 percent of respondents say their organization educates developers on safe coding practices for IoT apps. Figure 14. The top five means of securing mobile and IoT apps More than one response permitted 57% Penetration testing 39% 55% Educate developers on safe coding 30% 53% Static application security testing 26% 51% Dynamic application security testing 26% 30% Security testing throughout the SDLC 15% 0% 10% Primary means of securing mobile apps Ponemon Institute Research Report 20% 30% 40% 50% 60% Primary means of securing IoT apps Page 13

Broken cryptography and unintended data leakage are the most difficult mobile risks to mitigate. As shown in Figure 15, 49 percent of respondents say their organization follows guidance from the Open Web Application Security Project (OWASP). Seventy percent of respondents say broken cryptography and 65 percent say unintended data leakage are the most serious mobile app security risks. The least serious risk is the lack of binary protection. Figure 15. The most difficult OWASP mobile app security risks to mitigate Very difficult and Difficult responses combined Broken Cryptography 70% Unintended Data Leakage 65% Weak Server Side Controls 62% Client Side Injection 60% Poor Authorization and Authentication 50% Insufficient Transport Layer Protection 47% Insecure Data Storage 43% Security Decisions Via Untrusted Inputs 41% Improper Session Handling 38% Lack of Binary Protection 35% 0% Ponemon Institute Research Report 10% 20% 30% 40% 50% 60% 70% 80% Page 14

Rush to release is the main reason why both mobile and IoT apps contain vulnerable code. As revealed in Figure 16, 69 percent of respondents say pressure on the development team is why mobile apps contain vulnerable code and 75 percent of respondents say the same reason contributes to vulnerable code in IoT apps. Accidental coding errors in mobile and IoT apps are another primary reason for vulnerable code (65 percent of respondents). An additional issue affecting the security of apps is the lack of internal policies or rules that clarify security requirements. Figure 16. The main reasons why mobile and IoT apps contain vulnerable code More than one response permitted Rush to release pressures on application development team 75% 69% 65% 65% Accidental coding errors Lack of internal policies or rules that clarify security requirements 49% 51% 44% 48% Malicious coding errors Lack of quality assurance and testing procedures 40% 55% 36% 36% Incorrect permissions Lack of understanding/training on secure coding practices 30% 33% 18% 21% Application development tools have inherent bugs 3% 4% Other 0% 10% 20% 30% 40% 50% 60% 70% 80% Reason why IoT apps contain vulnerable code Reason why mobile apps contain vulnerable code Ponemon Institute Research Report Page 15

Part 3. Methods A sampling frame of 16,450 IT and IT security practitioners who are involved in the security of mobile and IoT application security and familiar with their organization’s security practices during the development of these applications and devices were selected as participants in the research. Table 1 shows 651 total returns. Screening and reliability checks required the removal of 58 surveys. Our final sample consisted of 593 surveys, or a 3.6 percent response. Table 1. Sample response Sampling frame Total returns Rejected or screened surveys Final sample Freq 16,450 651 58 593 Pct% 100.0% 4.0% 0.4% 3.6% Pie Chart 1 reports the respondent’s current position within the organization. By design, more than half of the respondents (58 percent) are at or above the supervisory levels. Pie Chart 1. Current position level within the organization 2%2% 3% 16% Senior Executive Vice President Director 40% Manager Supervisor 22% Technician/Staff Contractor 15% As shown in Pie Chart 2, 54 percent of respondents report directly to the chief information officer and 18 percent report to the chief information security officer. Pie Chart 2. The primary person reported to within the organization 2% 3% 2%2% 4% Chief Information Officer Chief Information Security Officer 6% Chief Technology Officer Chief Risk Officer 9% Chief Security Officer 54% Chief Operating Officer Compliance Officer 18% Data center management Other Ponemon Institute Research Report Page 16

Pie Chart 3 reports the industry classification of respondents’ organizations. This chart identifies financial services (18 percent of respondents) as the largest segment, followed by health and pharmaceutical (11 percent of respondents) and public services (10 percent of respondents). Pie Chart 3. Primary industry classification 2% 3% 2%2% 3% 3% 18% 5% 5% 11% 8% 10% 9% 9% 10% Financial services Health & pharmaceuticals Public sector Services Industrial & manufacturing Retail Technology & software Consumer products Energy & utilities Entertainment & media Hospitality Communications Education & research Transportation Other According to Pie Chart 4, 58 percent of the IT respondents and end user respondents are from organizations with a global headcount of more than 1,000 employees. Pie Chart 4. Worldwide headcount of the organization 7% 8% 9% 13% Less than 100 100 to 500 501 to 1,000 17% 1,001 to 5,000 5,001 to 25,000 21% 25,001 to 75,000 More than 75,000 25% Ponemon Institute Research Report Page 17

Part 4. Caveats to this study There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most Web-based surveys. ! ! ! Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument. Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals who are involved in the security of mobile and IoT application security in their organizations. We also acknowledge that the results may be biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings. Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses. Ponemon Institute Research Report Page 18

Appendix: Detailed Survey Results The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were captured in December 2016. Survey response Total sampling frame Total returns Rejected surveys Final sample Freq 16,450 651 58 593 Part 1. Screening S1. Do you have any role or involvement in securing mobile or IoT applications? Yes, significant involvement Yes, some involvement Yes, minimal involvement No involvement (Stop) Total Pct% 33% 40% 27% 0% 100% S2. How familiar are you with your organization’s security practices during the development of applications for mobile and IoT devices? Very familiar Familiar Somewhat familiar No knowledge (Stop) Total Pct% 45% 40% 15% 0% 100% Part 2. General Questions Q1. What best describes your organization’s role in development of mobile apps? Mostly a user of mobile apps Mostly a developer/manufacturer of mobile apps Both user and developer of mobile apps None of the above (stop) Total Pct% 44% 27% 29% 0% 100% Q2. What best describes your organization’s role in development of IoT devices? Mostly a user of IoT devices Mostly a developer/manufacturer of IoT devices Both user and developer/manufacturer of IoT devices None of the above (stop) Total Pct% 48% 21% 31% 0% 100% Q3. How concerned are you about the use of insecure mobile applications in the workplace? 1 or 2 (Not concerned) 3 or 4 5 or 6 7 or 8 9 or 10 (Very concerned) Total Extrapolated value Ponemon Institute Research Report Pct% 100.0% 4.0% 0.4% 3.6% Pct% 6% 11% 19% 35% 29% 100% 6.90 Page 19

Q4. How concerned are you about the use of insecure IoT apps in the workplace? 1 or 2 (Not concerned) 3 or 4 5 or 6 7 or 8 9 or 10 (Very concerned) Total Extrapolated value Pct% 7% 8% 15% 30% 40% 100% 7.26 Q5. How confident are you that your organization knows all the mobile applications used by employees in the workplace? Very confident Confident Not confident No confidence Total Pct% 16% 21% 30% 33% 100% Q6. How confident are you that your organization knows all the IoT apps used by employees in the workplace? Very confident Confident Not confident No confidence Total Pct% 11% 14% 38% 37% 100% Q7a. Has your organization experienced a material data breach or cyber attack over the past 12 months that was caused by an insecure mobile app? Yes, known with certainty Yes, most likely Yes, likely No, not likely Total Pct% 11% 15% 34% 40% 100% Q7b. Has your organization experienced a material data breach or cyber attack over the past 12 months that was caused by an insecure IoT app? Yes, known with certainty Yes, most likely Yes, likely No, not likely Total Q8. What best describes the types of mobile platforms supported by your organization today for accessing or developing business apps? Please select all that apply. iOS Android Windows Blackberry Other (please specify) Total Ponemon Institute Research Report Pct% 4% 11% 31% 54% 100% Pct% 58% 60% 43% 8% 0% 169% Page 20

Q9a. How concerned is your organization about getting hacked through a mobile app? Very concerned Concerned Somewhat concerned Not concerned Total Pct% 28% 25% 13% 34% 100% Q9b. How concerned is your organization about getting hacked through an IoT app? Very concerned Concerned Somewhat concerned Not c

The use of mobile and IoT apps are threats to a strong security posture. As shown in Figure 4, 79 percent of respondents say the use of mobile apps and 75 percent of respondents say the use of IoT apps increases security risk very significantly or significantly. Figure 4. The use of mobile and IoT apps significantly increases security risks