Nearly all mobile applications connect to the cloud, storing private business information, user names, passwords and other sensitive content. Employees tie into the Web with mobile device apps such as Google Maps, LinkedIn and Wink, which allows users to see from afar who is ringing the home doorbell or lets them dim the living room lights.
Along with functions that a decade ago would have boggled most minds, apps also have ushered in pervasive security risks from malware, phishing attacks and human missteps.
These risks top the list for organizations, according to the nonprofit Open Web Application Security Project:
- Web application vulnerabilities. Many apps don’t properly protect sensitive data such as credit card numbers, tax IDs and authentication credentials. Attackers may steal weakly protected information.
- Operator-side data leakage. This includes unnecessary copies of personal data in the workplace, and the pirating of loosely guarded location data, browsing behavior and device configuration to identify people.
- Insufficient data breach response. The average time to detect a data breach is 208 days, according to the Verizon 2015 Data Breach report. The lag only underscores the risk to organizations that don’t react nimbly to an incident. What constitutes a smart and thorough response? Continuous monitoring for anomalous activity to make sure the intruder is ejected, and a post-incident review of weaknesses in defenses, including updating and revising policies and controls.
- Insufficient deletion of personal data. PIN codes, passwords and answers to security questions often remain lodged in a computer if users don’t close out browsers or take other security steps. Vulnerabilities also crop up when personal data is on a disk or cached on line on a social network site. “Human frailty is the path into every targeted network,” said James Penrose, executive vice president of cybersecurity firm Darktrace.
- Non-transparent policies, terms and conditions. An organization’s polices may be outdated, inaccurate or incomplete; data processing may be insufficiently explained; and conditions may be so long and dense that users don’t read them.