Even though the adoption of the cloud and IoT devices for business operations have brought about an increased awareness by executives of the importance of securing them to avoid risks and downtime, when it comes to application security the story is a bit different.  The reasons can vary, one of them being that apps are seen as secured by simply implementing an overall security posture.  If things were that simple, it would be nice, but they’re not.

 

Applications require their fair share of attention if a business wants to minimize the vulnerabilities that come with them.  Just to give you an idea of the risks, the HPE Cyber Risk Report 2016 found that:

 

  • Applications and platforms that you might use every day are the biggest targets of exploits.  There are now more than 10,000 new Android threats discovered every day – a 153% year-over-year increase. Meanwhile, malware attacks on the Apple iOS platform grew 235% in 2015.

 

  • 72% of web apps have at least one encapsulation flaw.  Web application developers continue to struggle with issues such as privilege escalation errors that have been well documented and well understood for years (old habits die hard even in the software industry).

 

  • Five of the most common vulnerabilities in applications were the result of either encapsulation errors or weaknesses in security functions or the operating environment.

 

With that in mind, one of the biggest challenges for companies and adopting a better state of security for applications starts with the mindset and culture within the enterprise.  Since businesses are still working on making overall cybersecurity part of their business process and culture, it’s understandable that securing applications isn’t something they have really thought about (yet).

 

Also, due to different departments working independently from one another, communication and collaboration on security doesn’t take place.  If a company is developing their own app for example, developers and security teams don’t work together on its development, which means security doesn’t get implemented from the start.  The same goes for companies that develop apps that other businesses and people will use; it’s no secret that developers don’t think of security during the development phase.

 

Other areas that present a challenge to application security are putting faith in existing tools to do the job and the lack of security expertise to take care of what the tools will miss.  The Center for Cyber Safety and Education estimates there will be a shortage of 1.8 million information security workers by 2022.  With automation being something organizations are keen on implementing, it’s no wonder they’re leaning more and more towards tools.  Security technology isn’t the problem, as much as it is the importance of having an actual person who can tell the company when their technology fails them.

 

If security is a priority for businesses in 2017, it’s essential that executives start looking at all the online business tools and solutions they’re using to run their day to day operations as a way cybercriminals might try to get in (from printers to online web apps, to the code used in company software, and so on).  There’s not one item that doesn’t require a closer look due to the potential risks it can bring to a business.

 

If you’re ready to talk about cybersecurity and resolve the security skills gap, give us a call.

We’re here to help, let’s talk!

 

Photo courtesy of iQoncept