Financial Services Can Stop Mobile Attackers from Cashing In

If you’re a CIO, CSO or IT employee of a financial services company, your enterprise has a big target on its back — malware writers and other bad actors want your data badly.   

Symantec’s Q2 Mobile Threat Intelligence Report: Mobility and Finance warns that 25% of employees of financial services firms have unpatched vulnerabilities in their mobile devices. And it found that more than 15 percent of the mobile devices of financial service employee have been exposed to a malicious network. In world where mobile devices are typically beyond the control of central IT and constantly under attack, what can you do to protect your company and its assets? The pros offer the following advice.

Roll up your Mobile Threat Data

Symantec Mobile Security Specialist Brian Duckering says the first step to compile “a comprehensive rollup of the organizational risks contributed by mobile devices.” Don’t leave out anything; gather the total number including low-level incidents, medium-level incidents and high-level incidents. Only by knowing what risks you’ve actually run can you combat them, he says. “There’s always going to be some risks,” he says. “But using the rollup, you can concentrate on eliminating high risks and minimizing the medium-level risks,” which are the most dangerous to organizations.”

Do this at least quarterly and closely monitor whether the risks are going up or down over time. If they’re going up, it’s likely time look at new security approaches.

Make Mobile Apps Self-Protecting

Financial institutions typically have multiple mobile apps, both for internal use and for customers. They all need to be self-protecting, constantly checking themselves to see if they’ve been attacked or have been infected.

The best way to do this is to embed a micro security SDK into all of a company’s mobile apps. Those apps use the SDK to constantly check in with a central security app that is automatically updated. That allows enterprises to update only a single security app which then makes sure all other mobile apps in the enterprise have the latest security controls.

Duckering also says that enterprises need to ensure their employees follow best practices for keeping their mobile devices safe. (Check out his blog post “25% of FinServ Employees' Mobile Devices Have Unpatched Vulnerabilities,” for more specifics.)

Make Knowledge Your Weapon

Varun Kohli, Senior Director, Strategic Marketing for Symantec, adds that a serious problem with financial enterprises is that so few of them have visibility into the state of their mobile vulnerabilities.

“I’ve spoken with about 300 companies in the last few years, and probably only a single one knew how many of their company’s mobile devices were attacked in the last 30 days,” he says. So, companies need to find out how many mobile devices currently have malware on them, how many have connected to a suspicious or malicious WiFi network, and how many are running out-of-date, vulnerable operating systems. Only by doing that, he says, can a financial services company craft the proper mobile security plan.

Protect Against Four Attack Vectors

Financial services companies need to protect against four attack vectors, he says. The first is physical —an employee leaving a device in an Uber car or some other public place, which is then taken by someone else. So, all devices of employees in a business — whether personal or company-owned — need to use a passcode and a biometric ID such as a fingerprint reader. And all need to be configured so that their data and apps can be remotely wiped.

The second attack vector, he says, is malware. Every device must have proper anti-malware installed on it, via MDM software. Similarly, employees shouldn’t be allowed to download apps from third-party app stores, a policy which can also be enforced via MDM.

The third vector, someone inadvertently connecting to a malicious network, is even more dangerous than malware, he says. Employees should be taught how to recognize malicious networks — and their devices should be configured with software that automatically opens a VPN when they do connect, as a fallback security measured.

The fourth vector is the corporate network itself. It should be configured to automatically block any risky device owned by employees, the company or attackers from getting onto it.

Kohli has a piece of advice beyond all this: IT needs to recognize it can’t control people’s use of mobile devices to the same extent it can desktop PCs, and act accordingly.

“With mobile devices, people want instant gratification,” he says. “They’re in line to get their lattes, and they have 17 seconds, and they want to use their mobile devices to check their email, Facebook and WhatsApp. You can’t get in the way of them doing that. If you do, they’ll just bypass security. So you need to devise security plans that are more cooperatively put together than imposed from the top down. And you need the right mobile security software to protect them from themselves.”

If you do all this, Duckering and Kohli say, you’ll go a long way towards protecting your company, its data and your customers.

If you found this information useful, you may also enjoy:

 

Better BYOD. It’s All About Behavior