Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Mobile Apps Are Replacing the Web – Is Your Enterprise Ready?

We know mobile is quickly changing the way we do business and now it’s also beginning to replace the web.

We know mobile is quickly changing the way we do business and now it’s also beginning to replace the web. A recent Gartner study shows that 86 percent of users are now using mobile apps compared to the 14 percent still using mobile browsers. The trajectory is very clearly shifting from web to mobile and as CISOs, we really need to reevaluate if we are ready to properly secure and protect mobile applications from threats.

A recent study showed that this year, mobile users actually surpassed desktop users. The “mobile first” trend has finally arrived and it’s coming in at full force.

Whether we like it or not, BYOD is here and being adopted in most organizations. As security practitioners, we’ve been looking the other way when it comes to mobile threats and focusing on device management, while still trying to get our heads wrapped around the BYOD concept.

Enterprise Mobile ThreatsOrganizations have hundreds – even thousands – of devices (both corporate-owned and BYOD) being utilized daily. Employees download both third party and internal apps, and access corporate data with them, leaving corporate data at risk.

Now, we are in a situation where we have to catch up and address the application level threats that persist in mobile. This is not uncharted territory though; this has happened before in web apps. We were so focused on firewalls and server patching that we started putting sensitive data in unsecure apps. It was taking us days, even weeks, to protect the data in compromised apps.

Mobile is now experiencing the same problem. Developers are creating apps and hoping they are secure but can’t be positive that the assets are privately protected. Gartner reports that by 2015, 75 percent of mobile apps will fail basic security tests.

This shift to mobile exposes a major fault that needs to be addressed and security practices must address mobile threats as well. We must wrap our security development life cycle around mobile development to ensure we are protecting corporate data.

Everyone likes to think this is someone else’s problem and none of us wants to be the first. Unfortunately, we are already seeing breaches with companies like Walgreens, eHarmony, Fandango, Delta, Walmart, Facebook, Match.com and more. If you do a quick Google search of security breaches within the past nine months, the aforementioned enterprises have all had mobile security issues.

The companies responded appropriately and quickly to the attacks in order to contain the damage. However, we can all learn from their mistakes. This is no longer a hypothetical situation; mobile security is a real problem with real consequences for both individuals and organizations. We are seeing sophisticated organizations making huge profits off of mobile attacks. For example, Eurograbber managed to acquire $47 million through mobile attacks.

Advertisement. Scroll to continue reading.

What can you do to protect your organization from being vulnerable to a threat during the transition to mobile? Below are a few suggestions.

First, get involved. Become part of the mobile development life cycle, just as much as you’re involved with application security projects. The first step is always to be aware of what apps your organization is developing and what risk those apps pose. As your organization changes and becomes more efficient, are employees utilizing different apps? Know your users.

Secondly, implement best practices for your organization. Follow OWASP’s top 10 mobile risks and the remediation for those risks is a great start. This covers everything from data encryption to preventing man-in-the-middle attacks to client side injection.

Lastly, ensure your third party apps are secure and as Gartner recommended, implement RASP (Run Time App Security Protection).

Although the shift to mobile is happening quickly, we don’t have to be a victim of another mobile attack. As CISOs, we can keep our organization’s data protected by staying ahead of the mobile curve and making mobile security a priority for both IT and the organization.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.