HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

IoT and Mobile Application Vulnerabilities Not Being Adequately Addressed

Organizations around the world are taking advantage of IoT and mobile applications to improve efficiency, yet too little is being done to ensure the applications are secure.  A key lesson from a recent Ponemon Institute survey is application usability and not just data security should always be factored into application development and cloud cost management or users will resist security measures and find workarounds.

Organizations can benefit greatly from IoT and mobile technology, yet it is all too easy for major security risks to be introduced. Hackers are well aware of vulnerabilities in mobile and IoT applications and leverage those vulnerabilities to gain access to networks and sensitive data.

IoT infrastructure is vulnerable to attack, although the greatest risks are introduced by embedded software in gateways and the cloud. Many IT security practitioners are well aware of the security risks that can potentially be introduced, yet according to a recent survey conducted by the Ponemon Institute, little is being done to mitigate risk.

593 IT and IT security professionals were surveyed for the Arxan/IBM Security-sponsored survey, which set out to discover how companies are mitigating risk from mobile apps and IoT applications. The results of the survey are alarming. 8 out of 10 respondents said that while IoT applications are in use, their organization does not test them for security vulnerabilities. 71% or respondents said they use mobile applications that have not been subjected to vulnerability testing.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

IT security professionals are aware of the risks and are concerned that vulnerabilities will be exploited. 58% of respondents said they were concerned that vulnerabilities in IoT apps would be exploited by hackers, while 53% expressed concern that mobile applications would be hacked. 75% of respondents said IoT apps increase security risk very significantly or significantly.

Malware is also a major worry. A lack of protection against mobile malware was seen as a problem by 84% of respondents, while 66% were concerned about the malware threat to IoT applications.

Part of the problem is a lack of understanding about how IoT and mobile applications should be tested. 55% of respondents said they lacked QA and testing methods for IoT applications.

In many cases, IT security professionals are unsure about how many apps are actually in use. 63% of respondents were not confident that they were aware of the mobile apps that were being used by employees, and 75% were unsure that they were aware of all the IoT apps that were being used.

The data security risks are very real. 60% of individuals surveyed claimed their organization had experienced a data breach or security issue as a result of a mobile app.

Even though there are known risks, 44% of respondents said their organization was not taking any steps to prevent an attack. Protecting these apps is simply not a priority at many organizations. Only 32% of respondents said their organization wanted to urgently secure mobile apps, while 42% said they wanted to urgently security IoT apps. Budgetary restrictions were seen as the main problem by 30% of respondents.

Larry Ponemon, chairman and co-founder of the Ponemon Institute, said “Without proper budget or oversight, these threats aren’t being taken seriously and it should come as no surprise for mobile and IoT applications to be the culprit of major data breaches to come.”

Organizational Complexity is Hindering Cybersecurity Efforts

The results of a separate study published earlier this month by the Ponemon revealed that the biggest barrier preventing adequate cybersecurity defenses from being implemented is organizational complexity.

The global Citrix-sponsored study was conducted on 4,200 IT security practitioners from Australia, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, New Zealand, the Netherlands, United Arab Emirates, the United Kingdom and the United States.

The survey revealed that 79% of respondents were worried about data breaches involving high-value, sensitive information. 71% of respondents said they their organization is at risk because they are unable to effectively control employee devices and apps. 74% of respondents said their organization requires a new IT security framework if they are to successfully manage risk and improve their security posture.

The biggest barrier that is preventing businesses from improving their security posture was organizational complexities. 83% of respondents said organizational complexities were hampering cybersecurity efforts. Corporate security policies are being ignored because they are hindering employees’ and preventing them from working in their preferred manner. All too often security policies have a considerable negative impact on productivity.

As employees try to get more work done, they look to go-arounds such as shadow IT and data are being stored on personal devices to speed up access. 87% of respondents said information is being placed at risk as a result of an increase in data assets.

Larry Ponemon said “The research reveals respondents’ awareness of the need to challenge the status quo of their IT security strategies and consider a new IT security architecture to safeguard their organizations from cyber risks.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.