After high profile data breaches including the Sony hack last year, more companies are on higher alert. But cybercrime is an ever-evolving problem, and thieves are now focused on a new target—vulnerable mobile apps.
For many businesses, reaching customers or managing a vast swath of employees means developing and launching apps for public consumers or in-house workers. But nearly 40 percent of larger U.S. companies are not scanning new mobile apps for potential vulnerabilities and are simply releasing the applications, according to a cybersecurity study released Thursday.
The results are based on a survey of U.S. information technology security professionals, and was conducted by IBM and the Ponemon Institute, a Michigan-based research center on privacy, data protection and information security policy. The institute sent the survey to nearly 20,000 IT professionals in January and got 640 responses.
"Highlighted [in the study] are real challenges with mobile apps," said Caleb Barlow, IBM's vice president of mobile management and security.
Adding to the potential dangers of unscanned mobile applications, cybercriminals and hackers are increasingly targeting physical mobile devices in the same way they've hacked laptop and desktop computers. This combination of criminals targeting mobile hardware and often unscanned apps is creating a possible recipe for more data disasters.
About 61 percent of IT professionals surveyed in the study also anticipated the number of malware-infected mobile apps and devices will increase over the next year. And only 29 percent of respondents said their business has enough resources to prevent the use of vulnerable or malware infected applications.
Contributing to the complexity of the data risks, roughly 66 percent of respondents said company employees are heavy or very heavy users of mobile apps. The IT professionals surveyed came from many sectors, from financial services to retail.
The new cybersecurity study did not call out specific company names.
The average cost of a data breach was around $3.5 million for global companies, and about $5.85 million for U.S.-based businesses, according to separate Ponemon-IBM research released in May. "There are headlines almost every day on data breaches. ... You'd think there would be more pressure [on companies]," said Larry Ponemon, chairman and founder of the Ponemon Institute.
For cybersecurity professionals, the race is on to protect mobile networks.
As mobile usage has soared among consumers, so has malware or malicious software, said Michael Shaulov, chief executive and co-founder of Lacoon Mobile Security. The San Francisco-based company offers products and services that help businesses manage cyberrisks including "BYOD" or "bring your own device." Partly due to convenience and cost savings, many workers are using private mobile devices to conduct business, making data security even trickier to lock down.
According to separate research released in February, Lacoon sampled thousands of company mobile devices and found that a mere 0.21 percent of devices at large companies were infected with malware. While the percentage seems small, Shaulov said hackers only need to latch onto one or two devices to gain a treasure trove of information, such as network credentials, emails, calendars and contacts.
IBM's Barlow compared the possibility of accessing business data from mobile devices to "shooting fish in a barrel."
Even worse, Shaulov said cybercriminals can use mobile devices to access corporate and personal data that might otherwise be secured on traditional desktop computers. For example, a breached mobile device or mobile app includes coveted information and assets including GPS location data, a microphone and camera. As an example, a thief-controlled mobile phone microphone could hypothetically record remote business meetings without the company's knowledge.
And if mobile spying doesn't work, there's the old ransom trick.
Another growing mobile cyberthreat is ransomware, a type of malware that locks access to key user files unless the victim pays off the thieves, said Armando Orozco, senior malware intelligence analyst at Malwarebytes, a San Jose, California-based cybersecurity firm.
Shaulov said the same cybergangs that have been using ransomware on computers are now targeting mobile devices. Cyberthieves are getting so brazen that they can even remotely change the background on someone's phone to a note demanding money or can unlock your files or pictures, promiscuous or otherwise.
With so many more data risks, a key question remains why the heightened risk among mobile apps in particular.
The Ponemon study found two key reasons for lack of attention to mobile app security. First, the pressure to get applications to consumers as quickly as possible and second, limited security budgets.
With a tech boom in full swing, there's a rush to launch apps and about 77 percent of IT professionals surveyed said the pressure to release a mobile application quickly prevents needed security testing.
When computer software was first invented years ago, developers used to conduct extensive testing to ensure security and quality, said Larry Ponemon. He called this rush to market "security by the seat of the pants."
And while the average budget to develop a mobile app is about $33.8 million, an average of 5.5 percent of that budget or $1.9 million is allocated to security, according to the new study. Half of those studied said their company allot no part of their mobile development budget to security.
Despite the many mobile risks, there are measures businesses can take to protect their networks.
First, develop a company-wide policy on mobile apps. Only 55 percent of survey respondents said their organization has a policy on mobile applications among workers.
Be mindful of mixing personal and professional work on smartphones. About 39 percent of survey respondents said their companies allow employees to download personal mobile apps onto company-issued devices. Plus, 55 percent said their companies let employees download business mobile apps onto personal devices.
"If you connect that mobile app to your corporate network, it creates another method of access for malicious actors. Not good," said Joseph Loomis, the founder and CEO at CyberSponse, a Scottsdale, Ariz.-based cybersecurity company.
Companies should consider in-house mobile app stores for employees to use. So instead of going to public app platforms, workers select from a menu of secured digital apps. Not surprisingly, only 30 percent of respondents said they have access to company app stores. But even with the luxury of an exclusive app store, about 67 percent surveyed said employees can still download mobile apps from other sources.
There are also software options that separate personal data and company information on mobile devices, said IBM's Barlow. So if there's a data breach, the damage can quickly be contained and it's not a massive data wipe.
The final solution is education. Larry Ponemon advises companies educate employees so they understand the risks associated with mobile apps.
Barlow said if companies don't begin to better protect their mobile devices, more organized cybercriminals can "gather vast fortunes."