As the shift from desktop web applications to mobile apps approaches warp speed, the security measures taken by businesses to protect their proprietary data must expand beyond traditional network protection to secure consumer mobile apps and their data.
There are many attack vectors that can compromise mobile app data. Not least of these attack vectors is data-at-rest. Data-at-rest vulnerabilities – threatening local device-based files and data – are on the rise for two primary reasons. The first is the relative lack of awareness of the problem at hand, and the second is the corresponding lack of protective measures being taken.
Much is at stake, including consumer confidence, retention, brand reputation, and public credibility, not to mention the negative impact on revenue resulting from loss of customers – and the fraud itself.
Data-at-Rest Theft: App Owners & Consumers
Security breaches exploiting data-at-rest vulnerabilities can have serious consequences for everyone involved. According to a 2015 Gartner analysts report, 75% of mobile applications fail data-at-rest and other basic security criteria. With so much on the line, it’s surprising how few organizations are aware of data-at-rest vulnerabilities and the available solutions.
Some solutions entail significant project resources and deep SDK integration requiring months of development time. These solutions aim to deliver the highest level of security on a defense sector-level.
However, no other solutions offer plug-and-play implementation through the design architecture like Appdome’s Fusion. Applying this security technology requires little effort and can be implemented post-development, with short time-to-market. Such solutions apply extra security layers that mitigate data-at-rest vulnerabilities and other common attack vectors, and are the best fit for consumer-facing applications.
Below are a few examples of industries that are particularly at risk from data-at-rest vulnerabilities:
Who’s Responsible for Data-at-Rest Breaches?
When a data-at-rest breach occurs, the assignment of blame is sure to follow. It’s important to define who will ultimately be held responsible and bare the consequences of any such attack.
Who Does the Government Hold Responsible?
Federal, state and local governments have created laws requiring enterprises to protect data. If a breach occurs, companies must document that they’ve implemented best practices that comply with accepted industry standards to protect consumer data.
Furthermore, companies within industries governed by specific rules, such as financial institutions operating within FDIC regulations or healthcare organizations governed by HIPPA, and all personal data-collecting companies subject to accepted ISO standards must prove compliance.
Once companies establish that they’re in compliance, the breached company is generally obligated to notify customers of the security issue and any specific data that was compromised as well as take steps to minimize the exposure and fix the breach. Compensation to consumers might entail refunding lost funds, offering victims free credit reports, or other benefits over a specified period of time.
Who Do Customers Hold Responsible?
Regardless of the legal consequences to a breach, far more damaging are the consequences to a brand’s standing in the eyes of consumers. When companies are forced to admit they were victims of a security breach, their reputations and revenues can take a serious hit.
Customers lose trust, brand reputation/loyalty suffers, and the ability to attract new customers is significantly impacted. In addition, revenue can also be affected, which in the case of publicly traded companies, can lead to a drop in share prices.
Why Current “Security Best Practices” Just Aren’t Enough
All too many mobile application developers fail to use even the most basic encryption to protect their apps’ data-at-rest, and this needs to change. Businesses with consumer facing apps need to insist that their developers encrypt all data-at-rest.
Following this basic rule will offer a passable level of protection if a breach occurs. However, encryption isn’t sufficient, given that encryption keys need to be embedded in the application, and experienced hackers have the will and the means to access these keys and exploit them.
We’re reaching the point where businesses, especially ones within the finance and healthcare verticals, need to proactively use next-generation cyber-security measures, in addition to encryption, to protect their consumer data responsibly.
In many cases, behavioral analysis and application security testing can help enterprise development teams find and resolve potential issues prior to release. Tools that monitor app data leakage can help companies identify leakage points and proactively control damage as it occurs, while solutions such as Appdome’s Fusion can stop such attacks before they ever happen.
The online consumer landscape has shifted, and is now being driven by mobile channels. In this new mobile frontier, baseline encryption and security standards built to address the static online ecosystem do not adequately secure data. Enterprises must do more if they hope to thwart the increasing sophisticated attacks targeting data-at-rest vulnerabilities and keep the trust of their valued customers.