Mobile Security and Compliance Within The Financial Services

Mobile Security and Compliance Within The Financial Services

Financial institutions manage huge amounts of sensitive information, and a breach of such data could stand to be extremely costly. Consequently, the industry is heavily regulated, and companies must be extremely mindful of how customer information and communications are handled. This report by Wandera examines the current state of mobile security, as well as the mobile challenges facing modern financial services companies.

Increasing Regulations

With the emergence of new technologies and services, governments worldwide are regularly implementing new regulations in order to adapt to new business models and consumer behaviour. It is increasingly falling on IT teams to implement architecture which is compliant, whilst still driving innovation and curbing costs.

GDPR has now seen two notable fines as a result of data breaches, with British Airways facing a £183 million fine, and Marriott one of £99 million. Both organisations face these costs due to failure to comply with regulations laid out by GDPR in accordance with data privacy.

Data privacy regulations don’t just end with GDPR, with the UK also having the Data Protection Act 2018 in place. As a result, data and privacy have shot to the forefront of not only the agenda of IT, but of organisations as a whole. Businesses must consider the impact of mobility on data privacy and ensure they have appropriate technologies in place to ensure compliance.

The Move To The Cloud

A shift to the cloud is occurring, for some swiftly, whilst others adopt a more gradual approach. Despite the benefits of cloud, it does not come without hindrances. From the perspective of compliance and legal teams, outsourcing means a diminishment of control which might not be welcomed in an industry as vigilantly regulated as the Financial Services.

Despite this, there is some necessity to migrate to the cloud. Learn more about some of the challenges of cloud adoption here.

To help with these challenges, the following authorities all have guidance on the use of outsourcing to the cloud and other third-party IT services:

Supporting BYOD

Within financial services, 64% of devices are employee-owned and IT teams who are supporting must walk the fine line between protecting corporate data and respecting end-user privacy; all whilst remaining compliant with the cascade of industry regulations.

Mobile Challenges within the Financial Services

The number of data breaches reported by UK financial services firms to the Financial Conduct Authority (FCA) increased by 480% in 2018. 

The average yearly cost of cyber crime in the financial services is $18.28 million per company – the average cost across all industries is $11.7 million.

1. Handling highly sensitive client information

The Markets in Financial Instruments Directive (MiFID) II has imposed tighter regulations on how companies within the EU record interactions between companies and clients. The directive was updated in 2018 to include ALL phone and electronic communications. Mobile complicates this matter. Communications have evolved and now often encapsulate mobile communication applications such as WhatsApp. This can complicate matters, as such applications make it difficult to capture and record messages.

Another common example of sensitive information handled over mobile is when financial advisors use mobile devices to access identification apps while in transit to client meetings. Without IT management of these devices, client data flowing through those apps might be at risk.

2. Managing access

Contractors form part of the extended enterprise, but with them comes a number of unknown, unmanaged variables to IT security practices. With the migration to the cloud, IT teams need to better manage access to ensure regulatory requirements are met. Identity and Access Management (IAM) enables companies to better provision, control and revoke access as well as implement role-based access controls to prevent unnecessary privileges.

The use of mobile devices adds further complexity to third-party access management, as in-house teams are reliant on third-party vendors practicing good cyber hygiene—not sharing usernames and passwords among team members, having appropriate security controls and configurations for devices in place. But mobile devices are an additional risk factor, therefore making it essential for IT teams to implement conditional access in order to set policies that dictate access management based on device and session variables like OS version, network secureness, and location, thus reducing the risk of mobile.

3. ‘The moving office’

For many staff within the financial industry, travel is a necessity. This creates a need for additional security measures, in order to protect organisations from risks ranging from unsecured public Wi-Fi to excessive data roaming bills.

4. Mobile threats

For many staff within the financial industry, travel is a necessity. This creates a need for additional security measures, in order to protect organisations from risks ranging from unsecured public Wi-Fi to excessive data roaming bills.

Phishing

Financial Services companies experience more phishing attacks relative to the cross-industry average.

% of companies experiencing phishing attacks 

Financial Services
57.3%
Cross-industry
42.2%

Financial Services employees are more likely to click on a phishing email at work.

% of employees who click on phishing emails

Financial Services
29%
Cross-industry
11%
Malware

Despite malware often being top of threat lists, its effect on financial services is relatively limited, with less than 1% of companies have experienced malware attacks. Despite this though, malware should not be ignored as an attack vector, as cyber criminals become highly targeted and specialised in their approach.

Cryptojacking

A higher number of Financial Services firms have experienced mobile cryptojacking than the average cross-industry.

% of companies who have experienced mobile cryptojacking

Financial Services
26.7%
Cross-industry
18.6%
Man-in-the-middle Attacks

Financial Services employees have seen a high number of incidents associated with man-in-the-middle attacks and risky hotspots.

% of companies who have experienced mobile cryptojacking

Financial Services
35.6%
Cross-industry
24.1%

Of the risky hotspots, 59.67% in the Financial Services sector were travel-related, indicating that FS employees who travel need greater protection.

Mobile Risks Affecting Financial Services

OUT-OF-DATE SYSTEMS

0%

35.56% of FS companies have devices which aren’t running on the latest operating system, putting them at risk as they fail to receive security patches.

LOCK SCREEN DISABLED

1 in 20

For every 20 employees in a financial services company, 1 has their lock screen disabled. This puts the company at risk in the event of a device without a lock screen being lost or stolen.

SIDELOADING APPS

Apple2.88%

3.76%

Within the sector, 2.88% of iOS and 3.76% of Andoid devices have sideloaded apps. Sideloaded apps can be an indicator of users exhibiting riskier mobile behaviour.

Recommendations

As the cost of data breaches continues to increase, prevention is better than remediation. The following are recommended steps to help develop a mobile security strategy:

  1. Outline requirements – what do you want users to achieve on mobile?
  2. Deploy a Unified Endpoint Management (UEM) platform for device-level control – this will enable the provisioning of devices with corporate resources and the undertaking of ongoing device compliance checks.
  3. Connectivity – determine what you need to know about users, devices, networks, and apps before you grant them access to corporate resources.
  4. Define an acceptable-use policy – implementing this for each appropriate subset of devices will control shadow IT and unwanted usage; ensuring regulatory compliance.
  5. Implement an Identity and Access Management solution – enables authentication for corporate apps
  6. Deploy a Mobile Threat Defence Solution (MTD) – protects against cyber threats and usage risks

How can we help?

Mobliciti specialises in cloud and mobile endpoint security, meaning that data is kept safe and secure. We can support your mobile estate throughout its lifecycle, enabling employees whilst ensuring compliance.

Find out more about our services or get in touch.