How financial services companies can protect against mobile threats

Financial services organizations face a variety of cyber threats. But mobile risks represent a major Achilles' heel for the industry, says a new report from Wandera.

Video: The biggest threats posed by IoT devices At Mobile World Congress Americas, Michela Menting discusses the latest cyberthreats for IoT.

Like most companies and consumers, the financial services industry has become dependent on mobile communications as a way to conduct business, manage client information, exchange data, and work with customers. But without the proper protections in place, the mobile landscape can be a risky environment facing a variety of cyberthreats and potentially exposing sensitive customer data, according to a report called Mobile Security in the Financial Services, released Tuesday by Wandera.

SEE: Executive's guide to mobile security (TechRepublic)

In a six-month analysis of security data from 225 million customers with 50,000 devices collectively, Wandera discovered a number of ways in which financial services organizations are exposed to cyber threats via mobile communications, apps, services, and behavior:

  • Phishing . Financial services companies are a greater target for phishing attacks than are other types of companies. Over the six-month period, 57% of financial services firms were hit by phishing attacks compared with 42% cross-industry. In another study, 29% of financial services employees were found to be likely to click on a phishing email compared with just 11% across other industries.
  • Man-in-the-Middle attacks . Financial services organizations are hit by a higher number of incidents associated with man-in-the-middle attacks and risky hotspots, with 35% being targeted this way versus 24% across other industries.
  • Malware . Despite the concerns about malware, this threat is not as huge as many people think, according to Wandera, as less than 1% of companies were hit by malware over the six-month period. However, malware attacks certainly do occur, and cybercriminals are using more targeted approaches.
  • Cryptojacking . Some 26% of financial services companies experienced mobile cryptojacking attempts over the six months analyzed, compared with 18% cross-industry. On the plus side, financial services users tend to use their mobile devices more responsibly than do people in other industries. So the overall impact is less severe than with other types of threats, such as phishing.
  • Disable Lock Screens. Among employees at financial services firms, one in 20 failed to enable the lock screen on their mobile device, opening up a Pandora's Box of sensitive information should the phone be lost or stolen.

Wandera's research did find several positive signs in terms of mobile security at financial services companies. More users in this industry maintain their devices with the latest operating systems and security patches than do those in other industries. Rooting and jailbreaking can expose a mobile device to risky apps and content; however, the trend to root or jailbreak one's device has become much less common. Password leaks only impacted around 1% of the devices examined, though larger organizations and those with less stringent policies were more likely to suffer leaked passwords..

To help financial services companies better deal with the risks involved in mobile communications, Wandera offers the following pieces of advice in developing a mobile security strategy:

Combat phishing attacks

Employees need regular training to help them identify phishing attacks, not just from email but from social media and other messaging platforms. But training is only one layer of defense. Organizations need to adopt anti-phishing measures both at the endpoint and in the network.

Outline the requirements based on the use cases for mobile

  • What are you trying to enable your employees to do on mobile—access email or access sensitive databases? Whatever the reason, be sure to segment sensitive data so the access is more granular.
  • Evaluate your use cases and define requirements for your mobile workforce.
  • Which device types will you support, who owns them, and how are they managed?

Deploy a UEM for device level control

If appropriate, deploy a Unified Endpoint Management to provide devices with corporate resources and undergo regular device compliance checks.

Connectivity

To secure connectivity and cloud applications, determine what you need to know about users, devices, networks, and apps before you grant them access to corporate resources.

Define acceptable use

  • Review your existing acceptable use policies and ensure that mobile is incorporated in those policies.
  • Implement an acceptable use policy for each subset of devices to control shadow IT and unwanted usage and to ensure regulatory compliance.

Expand access management policies to incorporate device risk posture

  • Implement a mobile-friendly IAM (Identity and Access Management) solution to authenticate corporate apps.
  • Incorporate mobile risk assessments in your IAM policies to ensure that device risk is considered.
  • Ensure mobile risk is continuously evaluated for the duration of a session.

Deploy a mobile threat defense solution (MTD) to protect against cyber threats and usage risk

  • Ensure that your MTD solution has a strong endpoint detection capability and an in-network architecture to prevent attacks before they reach a device.
  • Ensure that your MTD solution can address both external cyberthreats (phishing, man-in-the-middle attacks, malware) and usage behavior risks (side-loaded apps etc)
  • For all security tools, ensure that the necessary configurations are made to address the threat vectors that are appropriate to your business while respecting the privacy of your end users.
  • Evaluate the MTD's machine-learning capability to understand how the threat engine identifies and protects against new threats.

Finally, revisit this list regularly to see what changes need to be made based on the following:

  • Company size and composition, e,g. mergers or acquisitions
  • New regulations that affect the way you handle data
  • Evolving IT strategy
  • Threats that you have seen affecting employees
  • New applications that employees need to get their jobs done

"In the financial services industry, as in many sectors, the security of client information is the most important asset, so it's disconcerting to find mobile security still an afterthought." Wandera vice president of product strategy Michael Covington said in a press release. "Financial organizations are struggling to keep pace with increasing regulations, rapid cloud migrations, and rampant BYOD adoption, among other emerging technology trends, making it crucial that industry security pros work to secure not just the devices, but also the apps installed on them and the data they access."

Also see

Cyber security concept, man hand protection network with lock icon.

Image: iStockphoto/wutwhanfoto

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books—one on Windows and another on LinkedIn.