Skip to main content

HP’s enterprise security risk report highlights mobile encryption concerns

HP has been publishing its Cyber Risk Report every year since 2009, and the latest report for 2013 has just emerged, detailing the biggest threats to enterprise security.

Broadly speaking, the major enterprise security weak points last year were mobile devices, that old chestnut Java, and insecure software in general.

Dealing with the mobile arena first, part of the security problem here is that the definition of “malware” is controversial, and that in itself makes determining mobile malware risks a trickier business. HP scoured 500,000 Android apps and realised that there were major differences in how mobile platform vendors and antivirus makers classified malware.

Also, no less than 46 per cent of Android and iOS apps were found to be using encryption improperly – in other words, developers were using weak encryption algorithms, or failing to protect sensitive data by misusing stronger encryption measures.

In terms of software in general, almost 80 per cent of the applications HP examined contained vulnerabilities outside of their source code. In other words, there was no problem with the program, but rather the user configuration – with the way the application is being used causing a vulnerability. That’s certainly a worryingly high percentage.

As for the ever problematic Java, sandbox bypass vulnerabilities were found to be the biggest menace on this front.

HP’s key recommendations to help enterprises stay secure include keeping fully abreast of security flaws in frameworks and third-party code, especially when it comes to hybrid mobile development platforms. Strong security guidelines are necessary, as is intelligence sharing among the security industry when it comes to strategies for defeating malware and developing a more proactive defence.

Jacob West, CTO, Enterprise Security Products at HP, commented: “Adversaries today are more adept than ever and are collaborating more effectively to take advantage of vulnerabilities across an ever-expanding attack surface.”

“The industry must band together to proactively share security intelligence and tactics in order to disrupt malicious activities driven by the growing underground marketplace.”