When it comes to Internet of Things app security, many enterprises are like deer caught in the headlights. They know something bad is going to happen if they don’t make a move.
When IoT apps fail to properly protect the data and devices with which they work, damage can range over breach of private personal information, for example in the case of wearables, to sabotage of large systems and machines, such as production lines and power generating turbines. Yet enterprises seem paralyzed by doubt, ignorance, and the frantic frequency of new app releases.
The disconnect is wide between realizing there is a problem, and doing something about it. Consider the following figures from a recent survey of almost 600 company and professional IT and IT security practitioners by Ponemon Institute. 75 percent of survey respondents agreed that IoT apps significantly increase security risks. 59 percent were worried their companies would be hacked through an IoT app they used for IoT devices. Yet 44 percent admitted their organization was doing nothing to address IoT app security.
One of the underlying problems is organizational. IoT app security is often not attributed to the company’s security department or CISO, but handed off to application development or product engineering, for example. Coupled with the novelty of IoT connected devices and a perceived lack of security standards and best practices, this can push IoT app security into the background. The Ponemon survey report also indicates that 63 percent of survey respondents had little or no knowledge of the number or the type of IoT apps and mobile apps that were in use in their own organizations.
Another major problem is the rapid pace of releases of apps, which also leads to an unacceptably high level of vulnerability. 75 percent of the survey respondents pointed an accusing finger at the app development teams for leaving security flaws and weaknesses in their IoT app code. 65 percent agreed that while unpredicted or accidental coding errors caused vulnerabilities in the code, a general lack of coherent internal policies to clarify security needs amplified the negative impact on application security.
Drilling down into the rest of the survey statistics, Ponemon stated that 58 percent of respondents saying that their organizations were likely to wait until their IoT apps were in production, before getting to grips with app security testing. Worse still, only 29 percent of all IoT apps and mobile apps were tested for vulnerabilities in any case, leading to an average of 30 percent of mobile apps and 38 percent of IoT apps containing vulnerabilities of a seriously threatening nature.
This situation can, however, be corrected via the security testing solutions AppInterrogator and Recon, already available for IoT devices such as Apple TV and Apple Watch. The “In or Out” criterion offered by Mi3 Security is a robust, simple, yet highly effective way of determining if an app makes the security grade. Better still, it can be easily and rapidly applied at all stages during development, helping teams to repair code sooner and avoid costs that can escalate dramatically once in production.
The disconnect that currently exists between companies and their IoT app security does not have to be a fatality. Neither does security testing need to slow down operations. Hopefully, future Ponemon surveys will show that companies have started taking these messages to heart to give IoT app security the attention and the action that it needs.