Mobile security strategy is now a routine part of boardroom discussions, and every CIO must be prepared to answer these types of questions. When you get called in to give an account of what happened post-breach, how will you defend your mobile app security strategy? How will you react if Director in the back pulls out a Kaspersky Report and remarks: “This data shows that over the past two years, a group of cybercriminals stole $1 billion from financial institutions worldwide. What are we doing to protect our customers?”
The Defensive Approach
In the world of mobile security, when a breach occurs, there are numerous places to assign blame:
- Consumers are always using their devices in unsafe WiFi areas, making them constantly vulnerable to credential theft.
- Consumers are always letting their devices get infected – 291,800 new mobile malware programs were found in Q2 of 2015 alone.
- Mobile users don’t keep their devices and apps updated, which means their security files are consistently out-of-date.
- Hackers can steal data from the information residing on the device – not through any fault of the company’s mobile app.
And the list goes on and on. Unlike an enterprise application, which is often deployed in a known corporate infrastructure, consumer apps are frequently used in unknown environments.
The Offensive Approach
CIOs with a comprehensive mobile security strategy have a different answer when they face the Board:
- We protected our customers against fake Wifi, man-in-the-middle attacks, data-at-rest-theft, data-in-transit intercepts, malware and OS exploits.
- We secured our apps against tampering and reverse engineering.
- We blocked our back-end systems from exposure.
Clearly, an offensive approach to mobile security strategy seems like the preferred route. However, most CIOs don’t seem to be on this path. Given the current threat matrix, Gartner estimates that 75% of mobile applications will fail basic security tests through 2015.
Today 40% of large companies – including many that appear on the Fortune 500 List – aren’t taking the requisite steps to secure mobile apps they build for their customers.
CIOs in such organizations won’t last long in a Board of Director’s meeting should any kind of breach occur, regardless of the cause.
Secure Coding Isn’t Enough Anymore
It’s not as if developers are slacking; most adhere to best-practice secure-coding techniques such as strong authentication, encryption, etc. Unfortunately, these just don’t suffice anymore given that the mobile cyber threat landscape is constantly evolving, making it a struggle to keep up with all of the newest vectors. Companies need to take a stronger approach to security – in fact, it should become a standard piece of any mobile app release checklist.
Appdome’s Fusion and other post-development security solutions are ideal for protecting apps and keeping CIOs from stammering when asked what they did to protect customers against pervasive threats. How will your mobile app security strategy hold up to scrutiny?