Leaky Apps – How Banning Them Builds App Security
Banning apps is sometimes necessary to protect your organization from malicious or misused applications. In particular, leaky apps can be a significant threat, and identifying and banning them is an essential app security measure.
Some organizations choose a more flexible approach by allowing employees to use unsanctioned apps and monitor their usage for suspicious activity. Yet others don’t monitor employee app use at all, which is the riskiest approach imaginable.
Employees rely on software to help them do their jobs more efficiently, save time and increase their productivity. But not all software is created equal, and not all apps are implemented securely. Even a massive global organization can be threatened by leaky apps that create massive risk, as this Toyota example demonstrates.
The risks of leaky apps and poor app security
Deciding whether to ban an app on corporate devices should be based on A) how much value that app provides versus B) the likelihood of its misuse at the individual or organizational level. In deciding, the organization should consider several types of risk caused by leaky apps or other software.
The risk from insider threats is a major concern in app security, due to the difficulty of detecting malicious insiders who already have legitimate access to systems and data.
A recent report found that 48% of cybersecurity professionals agree that insider attacks are tougher to detect and prevent than external attacks. And according to Verizon, internal actors are responsible for 19% of all data breaches.
This makes implementing zero trust capabilities essential to reducing the attack surfaces available to these cybercriminals. Although the magnitude of this threat isn’t as substantial as others, such as phishing, it can still carry a hefty price tag. Recent research shows that the average cost of a data breach is $4.45 million.
Apps can contain malicious software that can harm connected devices and your network. And these threats have increased in recent years:
- According to the 2023 State of Malware Report from Malwarebytes, 71% of companies worldwide were affected by ransomware.
- By the end of November 2022, over 22,500 new vulnerabilities had been added to the worldwide CVE database, already 10% more than in all of 2021.
- The United Nations Office on Drugs and Crime (UNODC) reported that more than 3.2 million cyberattacks were reported to law enforcement officials in 2022, with more than 1.13 million of them involving malicious software.
On top of malicious software, apps can provide unauthorized access to your system, allowing attackers to gain access and exploit your data. Think of this as malware targeting your systems, not your users. The potential risk of malicious insiders magnifies this threat. Malicious apps are also able to monitor or inject traffic, leading to a loss of privacy, disruption of services or attacks on weak targets.
Banning certain apps, whether leaky apps or deliberately malicious ones, can help reduce the likelihood of exploits. Otherwise, bad actors can target other endpoints on trusted networks behind a corporate firewall.
Leaky app issues
Leaky apps can result in user data, such as phone numbers and email addresses, being leaked to third-party servers. In one example, a security researcher discovered that TikTok was leaking user data without the user's consent, and a report from the Washington Post found that TikTok was sending user data to Chinese servers.
To prevent this, banning leaky apps can ensure that only trusted apps are allowed to access user data. Unfortunately, many commercial apps (especially those that are “free” or ad-supported) don’t always make it clear what data they collect and whom they share it with.
Another potential cost of leaky apps? The regulators behind mandates like the GDPR and CCPA aren’t going to be forgiving of a company that was negligent in defending against data breaches. The fact that bad external actors may be involved is no excuse for not taking measures to prevent leaky apps and malware from invading a network.
Siloing and data exfiltration hazards
Using unauthorized applications can lead to the formation of silos when everyone isn’t working with the same app, resulting in decreased efficiency and productivity for the entire organization.
Not only can unapproved downloads create a security risk, but cloud-based SaaS applications can also open the door to unintentional and intentional data exfiltration, as well as data loss if files are misplaced or forgotten. In some cases, employees may even use non-SaaS desktop or laptop applications that haven’t been updated in years because they’re more comfortable with them. But they often still pose risks.
If cybersecurity teams can't see unsanctioned “shadow IT” apps, they can’t take app security measures to assess risk and monitor usage. This lack of visibility leaves the organization vulnerable.
Solving app security issues
There are fairly straightforward ways to solve the problem of monitoring and, if necessary, banning apps. These involve educating your organization about the risks involved to forge a “culture of app security” and by using software tools to control the apps that are installed on networked devices and that are being accessed from the cloud.
- You should start by explaining the risks involved to employees and leadership. Educating everyone on zero trust principles and good cyberhygiene should be an ongoing, ever-evolving process that makes them aware of the dangers posed by leaky apps and unsanctioned downloads. In educating them on how to recognize and report possible security threats, you can also make them aware of the benefits their diligence brings for everyone.
- To control device-based apps, Mobile Threat Defense (MTD) software is used. This is often coupled with endpoint management software to monitor the app that’s being installed (or may already be in use) to detect any risks, in which case access to the app is blocked.
- Security Service Edge (SSE) software regulates using cloud-based applications. It can assess risk levels for SaaS apps, allowing security teams to allow and disallowed software based on that assessment. Plus, SSE software can conditionally monitor data transited by SaaS apps to ensure sensitive information isn’t stored in the cloud while still allowing the app to be used.
Learn more about the threats posed by unmonitored and unsecured mobile devices, the need for cyberhygiene for Internet of Things (IoT) devices, and the impact of zero trust adoption on organizations that have taken that step to protect themselves from the threats, leaky apps or otherwise, that every enterprise is facing.