Book a meeting

App shielding

Mobile App ROI: Measuring the cost of insecure mobile apps

By Jacques Soelberg May 29, 2024 09:19 am

Learn how to start breaking down your risk and measuring your mobile app security ROI.

Developing and releasing mobile apps comes with big security risks. Mobile app security isn't just a "nice-to-have" anymore, it can be critical for your organization's success. Yet for many decision-makers, investing in app security isn’t an obvious choice. After all, how do you measure the value of something focused on prevention?

The true cost of insecurity

The headlines are filled with alarming stories about major breaches and the resulting fallout.  For example, the 2023 Cost of a Data Breach Report found that the global average cost of a data breach was $4.45 million, a 15% increase over just three years. In the US, that number shoots up to $9.48 million on average, with sectors like healthcare, finance, and tech among the worst hit.

Now, we're not here to scare you. Instead, we want to spotlight the very real threats organizations face every single day. The harsh truth? Organizations like yours are paying for incidents that could've been prevented if they had proper security measures in place. And customers are paying too  with their sensitive data. But that’s enough of the preliminaries, let’s look at the numbers.

Spending more on Android vs. iOS security? You may want to reconsider. Watch our webinar on the state of iOS app security to find out why.

Operations

Like most modern organizations, yours probably relies heavily on data and digital systems to remain competitive and operational. But this reliance can leave you in the lurch in the face of a data breach.

After an attack, some downtime is expected. After all, you need some time to investigate and map a way forward. With the average cost of IT downtime ranging from $10k to $5 million per hour, it’s not exactly something most businesses have budgeted for. Beyond the financial loss, these breaches and outages tend to negatively affect employee productivity, morale, customer satisfaction, and, of course, have a knock on effect on revenue streams. 

And that’s not to mention the potential for threat actors to get their hands on your trade secrets and product roadmaps.

Compliance

Insecure apps are often non-compliant apps. And a failure to comply is traditionally met with hefty fines, penalties, and bad press.

Case in point: In 2021, TikTok was fined $92 million over breaking biometric data laws. And Grindr got hit with a $11.7 million fine for privacy violations about 10% of their global annual revenue. Ouch. 

In the US, the FTC can fine up to $40k per violation, while GDPR violations alone can result in fines of up to €20 million or 4% of global annual revenue, whichever is higher. Yikes. 

If those numbers don’t put things in perspective, then maybe the fact that non-compliance violations can also open an organization up to civil lawsuits, criminal prosecution, and private litigation will. And don’t forget the legal fees!

Reputation

Your organization's reputation is another critical asset at risk. A single security incident can quickly turn into a PR nightmare. And it won’t just destroy customer trust, it’ll also make it harder to attract top talent, and could impact your standing with investors.

Studies show reputational damage can result in around $1.52 million in lost business. And up to 80% of consumers in developed countries will ditch a company if their personal information is compromised in a breach. 

Oh, and did you know it can cost north of $200,000 to repair your reputation? We didn’t until we did the research! Rebuilding trust is an uphill battle that means investing a lot more in PR, security, and sometimes even rebranding efforts.

Investor confidence

Cybersecurity breaches don't just affect your organization's operations and reputation, they can also have an impact on market sentiment and stock value. One analysis found the top three breaches over the past three years led to an average 7.5% drop in stock value and $5.4 billion loss in company value per breach. 

41% of investors now consider cyber threats to be the biggest threat to businesses (up from 5th place in 2017). So, savvy investors are taking note. And that means your organization’s security posture could influence an investment decision. Why wouldn’t it, when companies with better security deliver higher returns for shareholders?

Breaking down mobile app security myths

So now that we’ve looked at the big, scary statistics, let’s consider what stops more organizations from investing in more security.

For starters, there’s a misconception that apps that don’t collect personally identifiable information (PII) don’t need robust security. However, the reality is that most apps collect one form of data or another. And it all needs protecting.

For others, security appears to come at the cost of performance or time to market. Sure, some solutions might make things a little more complicated for your team,  but the best mobile app security solutions will have minimal impact on development, integrate seamlessly with your app, and leave the user experience intact.

Finally, while having dedicated security engineers certainly gives any organization a leg-up on security, external expertise adds yet another layer of protection — and that can come in handy at a time when AI is keeping cybersecurity on its toes and the world’s most popular apps are vulnerable to repackaging attacks.

Risk assessment tools and checklists: The foundation of informed decisions

We could go on and on about the dangers of insecure mobile apps, but the best way for you to put everything into context for your organization is by doing a risk assessment (you know, vulnerability scanning, penetration testing … ).

Whether you opt for automated tools, manual techniques (or a combination), the result should be the same: An understanding of your risk. 

Note: While automated tools scan known vulnerabilities quickly, they may miss context-specific or brand new threats, so having human experts on hand is ideal. The same goes for AI-driven tools, a human layer is likely always going to be essential.

If you’re looking for something more hands-on, the Open Web Application Security Project (OWASP) is pretty much the gold (pseudo) standard in the app development world. With the help of their free guidelines and security checklists like the Top 10, you can start to see your risk taking shape. 

Need more resources? The NIST Cybersecurity Framework is a great way to help you fill in the blanks.

How to compare mobile app security solutions

Let’s get this out of the way: There's no one-size-fits-all option. The right solution depends on a combination of your company's risk profile, compliance goals, industry standards, budget, and priorities.

We’ve already discussed the first step, conducting a cybersecurity risk assessment. That’s as much about identifying potential vulnerabilities as it is about evaluating the impact a breach could have on your organization and identifying compliance gaps. 

Next, look to the future. Do you have plans to expand into new markets? Then look out for a scalable solution that can adapt to new standards and challenges.

With requirements mapped out, evaluate potential solutions technically. Key considerations include runtime application self-protection (RASP), code obfuscation, encryption, and reliable support. Many of the apps we rely on daily incorporate one or more of these techniques, for example:

  • Mobile banking apps: Anti-tampering measures block access to login credentials and financial data.
  • E-commerce apps: Obfuscation makes the app code harder to decipher, protecting key processing data.
  • Mobile gaming apps: App shielding prevents cheats and unfair mods like unlimited lives, currency, etc. 

That’s the short version. We’ve written (a lot) more about evaluating mobile app security solutions.

Build vs. buy: Is an in-house security solution the answer?

A table showing the pros and cons of building a mobile app security solution in-house vs. buying one from a vendor.

As you look at ways to beef up your mobile app security, you'll inevitably face this question: Should you build a custom solution or pay for an external one? Both options have their pros and cons, and the right choice depends on your organization's specific needs and resources.

The biggest factor to consider is the total cost of ownership (TCO). Building your own solution may seem cost-effective upfront, but hidden expenses can really add up. The cost of hiring and retaining security experts, maintaining research teams, releasing regular updates, false positives, and disruptions to the development cycle can drive costs through the roof.

But don’t take our word for it, here are the (rough) numbers:

  • Security engineering team: $500,000 per year
  • Penetration testing and research: $50,000–100,000 per year (depending on your internal policies and compliance obligations)
  • False positives and disruptions: $0–millions

Those are just the basics and we’ve used pretty conservative numbers. That’s quite a price to pay for an investment that may not offer the level of protection and support a specialized mobile app security vendor can provide. 

On the other hand, an external app security solution is more of a plug-and-play experience. By leveraging existing, specialized expertise and resources, you can go to market faster, minimize disruptions to your dev workflows, and get timely, continuous threat updates and improvements.

An external option might set you back between $50,000 and $500,000 per year depending on the number of apps, and your security and compliance needs. With a team of experts, a dedication to continuous product development, and the economies of scale on their side, the vendor route often makes the most technical and financial sense.

Quantifying your risk and calculating ROI

A table showing quantitative vs. qualitative measures for cybersecurity ROI.

With a clearer understanding of the potential costs and benefits, you can now calculate the ROI of mobile app security. Let’s look at both qualitative and quantitative measures:

Quantitative measures

Cost of security vs. cost of a data breach

Compare the upfront cost of implementing your chosen security solution against the potential costs of a major data breach. Look at industry reports and real-life case studies to estimate costs per compromised record — factoring in fines, legal fees, incident response costs, lost intellectual property and trade secrets, operational disruptions, and long-term reputational damage.

Compliance cost savings

Identify all the data privacy and industry rules and regulations your mobile apps need to comply with, and estimate the fines, penalties, and legal fees your company would avoid by meeting those compliance requirements through robust security measures.

Increased revenue

Analyze concrete metrics on how enhanced mobile app performance, bolstered user trust, and improved brand reputation directly stemming from your security measures can drive tangible revenue growth. This may include higher user engagement scores, lower churn rates, more positive app store reviews, and a lower cost of customer acquisition.

Qualitative measures

Brand image

Assess how your investments in mobile app security have tangibly elevated your organization's brand image and market positioning. Gather feedback through customer surveys, social media sentiment analyses, and market research reports to quantify improvements in brand perception, affinity, and loyalty resulting from your security efforts, especially if you’re in an industry where data privacy is paramount.

Customer loyalty

Examine changes in customer retention metrics, net promoter scores, and overall satisfaction ratings before and after implementing your security solution. Analyze how increased customer trust and transparency around your data practices have impacted your ability to retain existing users and attract new ones through word-of-mouth and referrals.

Employee efficiency

Calculate the hours and costs previously devoted to addressing security vulnerabilities, implementing patches, responding to incidents, and reworking insecure code. Factor in reduced overhead and engineering costs enabled by adopting secure development practices and automated security testing capabilities. Highlight productivity gains as developers can focus more on core app development.

The bottom line

Mobile app security isn’t a luxury, it’s business critical. And the benefits (and savings) outweigh the costs. A proactive approach to mobile app security can protect your organization’s revenue — and serve as a differentiator for increasingly security-conscious consumers.

Turns out, you may need to take a second look at your iOS app security. Why? research shows that iOS apps are more vulnerable than you expect.