Mobile Security A Moving Target In Financial Services

While most patients aren’t aware of how much personal health data is stored in healthcare devices, doctor’s offices or even networks, most everyone can explain where and how much money they have stored in various banks and accounts. It’s for that reason the Financial Services industry must stay ahead of the security curve, especially as mobile banking and apps are integrated into everyday life.

The Financial Services industry isn’t just about your checking and savings accounts, but ranges from your mortgage lender to trading portfolio and every financial dealing in between. With so much diversification comes a threat landscape as unpredictable and volatile as the stock market.

According to SecurityScorecard, in 2016:

  • 75% of the top 20 U.S. commercial banks were infected by malware, and some were infected by multiple malware families.  
  • 95% of the top 20 U.S. commercial banks were graded “C” or worse when it came to network security
  • Nearly one-fifth of financial institutions use email providers that have known security vulnerabilities

As industries continue to promote mobile banking via online sites and apps, hackers continue to find new endpoints to breach as the banking process proves to be fragmented and disconnected. The mobile banking process requires an acquirer, card issuer, card network and other steps, all of which have their own security layers – or lack thereof – and create entry points for criminals looking to do harm.

“InfoSec as a whole is unique in that sharing best practices is best practice,” said Ryan Martin, Principal Analyst with ABI Research, to Enterprise Mobility Exchange. “Financial services is no different in this regard; having a strong endpoint security strategy benefits other stakeholders in the chain of command, and that chain is only as strong as its weakest link. The difference in financial services is the pace of transactions – or, more broadly, machine interactions – which are becoming more and more automated by the day.”

Enterprise mobile app developers are under the gun more now than ever. They’re being tasked with building systems that will enhance productivity and save cost, all within a short time frame. When that happens, security becomes an afterthought, according to a penetration tester for a global financial company who chose to speak on condition of anonymity.

All too often developers are relying on whatever security controls are automatically enabled through the operating system’s environment and assuming that will be enough to cover any major vulnerabilities rather than layering security during a step-by-step process. Developers are also faced with tight deadlines, which forces security to become an afterthought.

“There’s a tug of war between security and usability,” said the senior penetration tester. “The enemy of security is time.

But is saving time worth leaving known – or easily patched – vulnerabilities exposed? Security needs to be baked into the software development lifecycle (SDLC). Each step of the coding process must be tested and subsequently treated, creating a layered security approach and protecting the backend – where data at rest and in transit can be accessed.

“To have automation, you need trust,” said Martin. “Instilling a level of trust at the system level is an entirely different undertaking than doing so at the application level. The challenge today is the mix of devices, applications, and services that touch the corporate network is in flux … but the business cannot be.”