Mobile Apps Need Better Security

 
 
By Karen A. Frenkel  |  Posted 11-22-2013 Email Print this article Print
 
 
 
 
 
 
 
 

According to a new report by Forrester Research, mobile security risks are moving to apps, mimicking the traditional computing space in which security and risk professionals first targeted networks and devices and then progressed to applications. The Forrester Research report cites three reasons for directing security to apps. One, security and risk professionals have little control over mobile networks, devices and OSs. Operating system vulnerabilities show no correlation to the number of threats against them, reports Forrester, citing "Symantec Internet Security Threat Report 2013." The top layer of security stack, therefore, is the primary point of risk within mobile. Two, employees are using multiple personal devices at the office, home and while travelling to view private and strategic corporate data. Lastly, mobile apps are updated more frequently than traditional PC applications, making it hard for security and risk personnel to keep up with the rapid pace of device expansion. The report, which is based on responses from 692 IT security decision-makers from over 60 companies with $50 million in revenues, offers recommendations for how enterprises can best to secure mobile apps. For more about the report, which, click here

 
 
 
  • Employees Easily Access Sensitive Data via Tablets

    13% have access to customer data, 13% to contracts, invoices and customer orders, 12% to customer service data and account numbers.
    Easily Access Sensitive Data via Tablets
  • Employees Easily Access Sensitive Data With Smartphones

    8% access company data, 5% access contracts, invoices and customer orders, 5% access customer service data
    Employees Easily Access Sensitive Data With Smartphones
  • How Concerned Are IT Pros About Mobile Malware?

    60% of those surveyed say they are quite concerned and 23% are somewhat concerned.
    How Concerned Are IT Pros About Mobile Malware?
  • Levels of Maturity for Mobile App Security

    Forester finds three levels of mobile security maturity among enterprises. Those at Level I assess mobile apps security: manually, use no formal testing, have no application acceptance criteria.
    Levels of Maturity for Mobile App Security
  • Ad Hoc Mobile App Testing

    60% of respondents say they only manually assess mobile apps for security and privacy issues, which can result in inconsistencies, according to Forrester.
    Ad Hoc Mobile App Testing
  • Level I Mobile Security and Antivirus Software

    One in 26 believe antivirus software is sufficient to secure their mobile environment, which Forester says is not effective, just as it was not in the traditional PC space.
    Level I Mobile Security and Antivirus Software
  • Level 2 Mobile Security

    Enterprises at Level 2 mobile security use: automated tools to create a security baseline for all layers of mobile security, control point technologies, like mobile device management, and enterprise app stores, are unlikely to have deployed these systematically, beyond pilots.
    Level 2 Mobile Security
  • BYOA and BYOD Tolerance

    Only 25% of respondents use formal application acceptance criteria.
    BYOA and BYOD Tolerance
  • Level 2 is Reactive, Not Proactive

    Vetting the security of apps is labor-intensive so the number approved is typically low. Coupled with frequently released new mobile apps, enterprise vetting is reactive instead of proactive.
    Level 2 is Reactive, Not Proactive
  • Level 3 App Security Is Still Immature

    Technologies for a security program are primitive and human processes are still required.
    Level 3 App Security Is Still Immature
  • Successful Level 3 App Security Requires:

    Segmenting the user base, deploying an enterprise mobile control point, defined app acceptance criteria, automated tools and manual assessment to support app turnover.
    Successful Level 3 App Security
  • Recommendations

    Understand your enterprise's risk tolerance level. Work with others to define an acceptable risk level. Segment employees into groups based on their and the enterprise's risk tolerance level. Formalize app vetting requirements and policies for each segment.
    Recommendations
 
 
 
 
 
Karen A. Frenkel writes about technology and science, innovation, and entrepreneurs and lives in New York City.

 
 
 
 
 
 

Submit a Comment

Loading Comments...