Search this website
By Sanjai Gangadharan
There’s no doubt that applications are integral to our work and personal lives. They help us get things done. Without them, many of us feel discomfort.
But our behavior and attitude toward apps could have even bigger consequences – they could be damaging to corporate security and reputation and put companies at risk.
When we say application, we don’t just mean smartphones, laptops and other connected devices. The term application applies to many types of software, services, tools and clients across a wide range of platforms, such as Internet of Things (IoT) devices, vehicles, appliances, electronics and more.
Think about it: how many times have you used a personal app on the corporate network? How frequently have you used a work app on your home network? Probably more than you can count.
Now, throw into that the lack of awareness or perceived security of those applications, and you’re treading in dangerous water. Perceptions can be misperceptions and misperceptions create security problems.
That was one of the drivers behind A10’s Application Intelligence Report (AIR), a global research survey that examines people’s behavior with applications and the impact that can have on corporate security and culture.
Startlingly, an AIR survey uncovered that many respondents, both knowingly and unknowingly, participate in dicey or sometimes downright negligent behaviors that could put their companies at risk of a major security threat or a crippling breach.
How secure are IoT devices?
For example, AIR survey respondents rank laptops as the most vulnerable type of device, more so than smartphones and even more so than Internet of Things (IoT) devices like surveillance cameras, smart TVs and Internet-enabled cars.
This misperception creates a frightening paradigm as the recent rash of DDoS attacks leveraging IoT devices has paved the way for the DDoS of Things. For example, the Mirai malware was used to launch botnet that caused a 1 Tbps DDoS attack – the largest on record – by hacking 500,000 web cams.
The perception that IoT devices – many of which can be found on company property connected to corporate networks – are more secure than laptops and smartphones shows a lack of awareness and it’s up to IT and security teams to educate their workforces and implement the proper security solutions to ensure IoT devices don’t open any security holes within their environments.
App security doesn’t get a second thought
AIR survey also revealed that four out of five (83 percent) respondents only think about the potential security risk when they first download an app, but after that initial download security is less of a thought or priority. And nearly one in five says they do not think security is a concern at all when downloading apps.
Roughly one in three respondents think about security when it comes to using personal apps, while security is even less of a thought when using business apps, with only one in five citing security as a top thought while using them.
Ease of use, performance beat security
According to AIR, only one in four (24 percent) respondents think of security as the most important attribute of an app, behind performance (32 percent) and ease of use (24 percent). Only user interface ranks less important than security.
For IT, that cavalier attitude toward security shows that people are willing to accept the risk in deference to performance and ease of use, opening a door for potential attackers. If people are using personal or work apps with weak security they can become points of entry for threat actors.
Whose job is app security?
AIR survey uncovered a disparity around who is responsible for securing applications.
More than two out of five, or 43 percent, of respondents don’t believe security is a top priority for app developers, meanwhile only half of respondents believe their company’s app developers have the skills to build safe and secure applications.
And even though most think app developers don’t prioritize security, they download the apps anyway. Nearly half, or 47 percent, of respondents expect to be protected against cyberattacks by either their company or third-party app developers.
Being hacked is expected
Respondents to AIR survey are somewhat nonchalant about the possibility of being hacked. One in three says they feel cyberattacks are “a fact of life,” while one in five says they “just try not to think about it.”
Three out of five, or 59 percent, say having their mobile device hacked or personal information stolen is more likely to happen than having their car or home broken into.
One in five, or 20 percent, global respondents have had their mobile device or computer hacked. However, one in three under 30, or 31 percent, has been hacked, and those in their 50s, only one in 10, or 11 percent, claim to be a hacking victim.
And nearly one in five respondents between ages 21 and 30 says they’ve had their identity stolen.
But these high hacking rates aren’t prompting respondents to use caution.
In fact, according to AIR, users are careless with their devices. One in three, or 34 percent, of respondents under 30 says they have lost their mobile device or computer, and one in four, or 24 percent, of that same age group has had their mobile device stolen at one time.
On top of that, AIR results show that respondents use sloppy password practices. For example, Fewer than one in five respondents, or 17 percent, says they use a different password for every app, while 11 percent of respondents note they never change their passwords for mobile apps and three out of 10, or 29 percent, say they use the same password for the majority of their apps.
Lack of attention to security, especially regarding applications that often hold sensitive personal and business information, can introduce threats.
IT organizations can use this data to identify potential vulnerabilities these behaviors are introducing within their organizations and make better business and security decisions to protect users. IT can leverage this data in their security planning and justify the implementation of tighter security controls across their application environments by improving per-app visibility and analytics and removing security blind spots.
The author is Regional Director SAARC, A10 Networks.