We know mobile is quickly changing the way we do business and now it’s also beginning to replace the web. A recent Gartner study shows that 86 percent of users are now using mobile apps compared to the 14 percent still using mobile browsers. The trajectory is very clearly shifting from web to mobile and as CISOs, we really need to reevaluate if we are ready to properly secure and protect mobile applications from threats.
A recent study showed that this year, mobile users actually surpassed desktop users. The “mobile first” trend has finally arrived and it’s coming in at full force.
Whether we like it or not, BYOD is here and being adopted in most organizations. As security practitioners, we’ve been looking the other way when it comes to mobile threats and focusing on device management, while still trying to get our heads wrapped around the BYOD concept.
Organizations have hundreds – even thousands – of devices (both corporate-owned and BYOD) being utilized daily. Employees download both third party and internal apps, and access corporate data with them, leaving corporate data at risk.
Now, we are in a situation where we have to catch up and address the application level threats that persist in mobile. This is not uncharted territory though; this has happened before in web apps. We were so focused on firewalls and server patching that we started putting sensitive data in unsecure apps. It was taking us days, even weeks, to protect the data in compromised apps.
Mobile is now experiencing the same problem. Developers are creating apps and hoping they are secure but can’t be positive that the assets are privately protected. Gartner reports that by 2015, 75 percent of mobile apps will fail basic security tests.
This shift to mobile exposes a major fault that needs to be addressed and security practices must address mobile threats as well. We must wrap our security development life cycle around mobile development to ensure we are protecting corporate data.
Everyone likes to think this is someone else’s problem and none of us wants to be the first. Unfortunately, we are already seeing breaches with companies like Walgreens, eHarmony, Fandango, Delta, Walmart, Facebook, Match.com and more. If you do a quick Google search of security breaches within the past nine months, the aforementioned enterprises have all had mobile security issues.
The companies responded appropriately and quickly to the attacks in order to contain the damage. However, we can all learn from their mistakes. This is no longer a hypothetical situation; mobile security is a real problem with real consequences for both individuals and organizations. We are seeing sophisticated organizations making huge profits off of mobile attacks. For example, Eurograbber managed to acquire $47 million through mobile attacks.
What can you do to protect your organization from being vulnerable to a threat during the transition to mobile? Below are a few suggestions.
First, get involved. Become part of the mobile development life cycle, just as much as you’re involved with application security projects. The first step is always to be aware of what apps your organization is developing and what risk those apps pose. As your organization changes and becomes more efficient, are employees utilizing different apps? Know your users.
Secondly, implement best practices for your organization. Follow OWASP’s top 10 mobile risks and the remediation for those risks is a great start. This covers everything from data encryption to preventing man-in-the-middle attacks to client side injection.
Lastly, ensure your third party apps are secure and as Gartner recommended, implement RASP (Run Time App Security Protection).
Although the shift to mobile is happening quickly, we don’t have to be a victim of another mobile attack. As CISOs, we can keep our organization’s data protected by staying ahead of the mobile curve and making mobile security a priority for both IT and the organization.
