By Mike Kiser, Security Strategist and Evangelist at SailPoint
What would it take to put you in the 1% — to enable you to leave your job, jump on your private plane and eat lobster with caviar for breakfast, lunch, and dinner? The answer to that question varies depending on your location: from $81K per year in India, to $290K in the UK, and a massive $891K in the United Arab Emirates (pre-tax, for those of you doing the math at home).
While membership in this elite club is not achievable for most of us, it is still possible to become a top-tier member of a different group: the 3%. This select group is not measured by how many homes they have nor by their investment portfolio, but rather by how well they steward the resources of others that have been entrusted to them.
At a time when the cybersecurity challenges faced by banks have never been clearer, it can still be a challenge for security and IT teams to secure investment in their department. Business decision makers feel like they are being asked to justify a negative ROI, money spent to reduce the cost or likelihood of a data breach and now grow the business. Meanwhile, the proliferation of digital banking services (both in apps and online) has exponentially increased the attack surface available for cybercriminals to exploit – whether that’s via a consumer login to check a bank balance, or an internal user accessing central business systems to issue a new product.
A recent report published by Arxan Technologies examined 30 different financial services apps available on the Google Play store and found very few that provided adequate security for their users. Despite the fact that these were supplied by financial institutions, for whom trust is essential for their business, application security was found wanting.
The issues discovered were wide ranging – 43% of apps were vulnerable to attacks that can run code on the mobile device itself injected into the app as it ran — allowing adversaries to run their own code as the logged-in user. Alongside this, 80% of the apps used relatively weak encryption, creating an easy attack vector for malicious actors to pilfer sensitive data embedded in and used by these apps. Furthermore, 83% of the apps chose to store sensitive data in the device’s file system, in external storage or on the clipboard — which circumvents any access restrictions that the app might normally enforce. This allows any anonymous user (or other app) to access sensitive data that should have been protected.
But the most common issue was financial apps lacking binary protection which would prevent reverse engineering. This means that attackers could take the applications and decompile them to examine their source code; this allows for the discovery of other vulnerabilities to exploit, with any sensitive data hard-coded within the app being exposed too. This final issue automatically reduced the number of apps without issues to a grand total of 3%.
Only 3% of financial apps within this study delivered a secure experience for their users, demonstrating that these financial institutions could be trusted to handle their customers’ data and finances responsibly. This, of course, is the 3% that all financial institutions should aspire to belong to; with each passing headline, customers are realising the importance of choosing financial providers who have invested in proper security controls to protect their interests.
Studies such as this one call attention to the fact that with each passing day, it becomes more apparent that security cannot be an afterthought for today’s businesses. It must be a mindset that pervades all aspects of the organisation; from establishing an identity program to provide access and ensure compliance with regulation, to having access to sensitive resources enforced in depth. Moreover, organisations must ensure – as this report highlights – that application security is at the forefront of every software architect and developer so that the applications and software that represent a financial institution to the world communicates responsible handling of important customer assets and data.
Organisations that take security lightly put themselves at risk – not only jeopardising the relationship with customers unnecessarily but also finding themselves living below what one analyst called “the Security Poverty Line.” Financial services institutions who want to thrive in today’s business environment must invest a coherent security program and deliver a secure, trustworthy interaction for clients — which will elevate them into that rarefied air of the 3%.