The past decade saw one of the most historic shifts in retailers’ business models. They've successfully evolved to hybrid retail models, which blend brick-and-mortar stores with digital properties. With this transformation comes new risks, however, often taking advantage of the digital retail experience.
For example, just last year 15 major retailers reported data breaches where valuable consumer data was compromised by cybercriminals. This string of cybercriminal activity has damaged brand reputations, strained customer relations and resulted in the loss of millions of dollars.
Despite this increased threat, the pace of innovation hasn't slowed down. More retailers are shifting their business to mobile apps. According to a Forrester report from February that surveyed 71 retailers, 58 percent of retailers consider mobile commerce a top priority. With cybercriminals constantly seeking the next opportunity for attack, retailers need to recognize mobile as an emerging target.
Are retailers dedicating enough time and resources to guard customer data and themselves against potential cyberattacks? Unfortunately, new data suggests they could do much more.
A recent study of 640 businesses conducted by IBM Security and the Ponemon Institute revealed significant flaws in the ways that many large organizations, including Fortune 500 retailers, are developing and securing mobile apps. When asked how much of the mobile app development budget was dedicated to security, half of the surveyed companies indicated that they allocate zero funds to safeguarding the mobile apps they build from malware.
Additionally, another 33 percent of organizations said they never test mobile apps to ensure all vulnerabilities have been removed before placing them in the hands of customers, who freely upload their personal information onto these apps.
Prioritizing Security Over Speed
Negligence and a lack of financial investment in security are quickly exposing retailers and their customers to sophisticated cyberattacks. A study of the top 40 retail apps from app security vendor Arxan has corroborated this trend. According to the report from November 2014, 90 percent of Android retail apps and 35 percent of iOS apps have been hacked in a way that produced cloned or repackaged versions of the apps that included malicious content.
Our study suggests app developers are prioritizing rapid app development over security. Based on our study with the Ponemon Institute, 77 percent of respondents pointed to “rush to release” pressures as to why mobile apps contain vulnerable code.
Today’s businesses often seek short-term customer gratification, prompting them to build apps with speed to market and user experience in mind. Of course, that's great for all of us because we love useful apps; the downside is that they're not protecting us or their own data.
Inaction is Costly
Additionally, many retailers are also setting themselves up for disaster by avoiding implementing internal policies regarding the use of mobile apps. According to our study, a significant majority (67 percent) of organizations allow their employees to download apps on their work devices that haven’t been previously scanned for potential security flaws.
This lack of regulation enables criminals to exploit app vulnerabilities. For example, they might be able to access sensitive documents, hijack a device’s camera and microphone to gain access to private company developments and meetings, or even deliver malware through an app to infect a broader group of people.
At any given time, mobile malware infects over 11.6 million mobile devices, according to a study by Alcatel-Lucent. These data breaches can cause significant financial losses, as we’ve seen for many of the major retailers that have been hacked in the past two years.
In fact, the average cost of a single data breach for retailers worldwide has increased 15 percent over the past year to over $3.5 million, according to a separate Ponemon study. That total doesn’t account for the customers lost when a brand becomes associated with compromised security.
Several vendors, including IBM, are developing solutions that detect and destroy malware on mobile devices. Implementing such security measures is a step in the right direction, but doesn’t completely solve the problem. It’s merely a component of a broader mobile security strategy, one that should start with establishing clearly defined policies for mobile devices. Our report revealed that 55 percent of employees said their organization doesn’t have a policy that defines the acceptable use of mobile apps in the workplace.
If history teaches us anything, criminals like to shop where the money is. Mobile security needs to be prioritized to protect consumers, the retailer’s brand and the internal privacy of businesses.
Don’t let hackers cash in on weak mobile security. Check them out of the process before they check you out.
Neil Florio is the vice president of the mobile division for IBM Security.