Tim Dinsmore, Director, Appurity
The financial services industry is stepping up the gears as part of its digital transformation journey. And whilst COVID and the associated pandemic has pushed organisations to embrace cloud services and mobile devices, the finance industry has already witnessed a massive increase in the adoption of mobile apps. Both employees and customers of financial services organisations are using tablets and smartphones more frequently for day-to-day operations and transactions. Most mobile devices can access cloud-based services and infrastructure which has facilitated remote working. And with corporate data now going wherever it’s required, organisations need to embrace modern security technologies and strategies to stay secure, competitive, and relevant on these smart devices.
It’s no exaggeration to say that the finance industry oversees valuable monetary assets and highly sensitive data. That makes financial institutions the perfect target for cybercriminals. To put that into context, IBM’s threat intelligence index placed the financial services sector as the number one target of cyberattacks in 2020 among all industries. So, what’s going on here and what strategies are available to those who operate in the finance industry?
Mobile devices and apps have allowed organisations to increase productivity and engagement across the board. Employees are able to stay connected wherever they are, and customers can access their financial data anytime, anywhere. With more and more users accessing cloud services and infrastructure from mobile devices, cyberattackers are deliberately targeting such devices to increase their odds of finding a vulnerable entry point. It only takes one single successful phishing or mobile ransomware attack for cyber thieves to be able to access all of the sensitive data and financial information we have already mentioned – proprietary market research, client financials, investment strategies etc.
Security teams need visibility of individual devices and the entire fleet while balancing end-user privacy and compliance with security requirements. In this way, you create a healthy balance between security and end-user privacy – essential where organisations enable bring-your-own-device (BYOD) in a highly regulated industry like financial services. In addition to securing employee mobile devices, consumer banks have an opportunity to protect their customer base. These days, a majority of banking customers use mobile devices as the primary way to access their accounts. It is critical that customer mobile devices are safe and secure and protected from the likes of phishing attacks, screen overlays and trojanised apps – all aiming to steal login credentials. And it is true that employees and customers can be as productive using smartphones or tablets as they are using desktop or laptop computers. However, if these mobile endpoints are not properly secured, you get the same security gaps as with users who don’t employ endpoint security on a laptop or desktop computer. All of this puts your organisation’s security architecture and compliance posture at risk.
Is Mobile Device Management (MDM) the solution?
At the end of the day, both managed and unmanaged mobile devices are at risk – but there has certainly been an increase in the percentage of managed devices in the financial services industry’s mobile fleets. But whilst deploying an MDM solution to try to implement basic controls over apps and devices outside the perimeter is a good start, it doesn’t provide security against mobile cyberthreats. This is especially true when it comes to protecting against phishing attacks. An MDM solution merely enables your administrators to set app and access policies. They do not provide the visibility necessary to monitor the risks that occur when employees are using apps and networks that you don’t control. Not the best scenario when you are trying to visualise the risks your organisation faces.
Many financial services providers have turned to managing devices to mitigate the risks associated with working from smartphones and tablets. And whilst this is a good first step, MDM still leaves employees exposed to more complex phishing, app and device threats that could compromise an entire organisation. The industry must also consider its customers, who prefer the mobile experience and inherently trust their financial services apps to be secure. While some mobile banking apps might implement security techniques into their app, such as app hardening to protect it from being reverse engineered, this isn’t enough to protect customers from threats like trojans and screen overlays.
Comprehensive Endpoint Security is Smarter
With mobile as the main driver for digital transformation, security and IT teams need to work together to secure all smartphones and tablets – whether they’re managed / unmanaged or a consumer device. Doing so with end-user privacy in mind will enable financial organisations to build a stronger security posture without violating corporate and international data privacy and compliance laws. Protecting these modern endpoints requires a different approach – one that is built from the ground up for mobile devices and secures the entire data path from the endpoint to the cloud. Only a modern endpoint protection solution can detect mobile threats in apps, device operating systems and network connections while also protecting against credential theft and malware delivery attacks through phishing.
As a financial organisation, you need to embrace modern security technologies and strategies to stay secure, competitive and relevant on the devices that your employees and customers use the most. With financial services seeing the largest rise in mobile phishing attacks out of any industry, it is clear that you need to think carefully about mobile security. MDM solutions are a start but investing in a comprehensive endpoint security solution provides more robust protection overall.