How to Protect Against Mobile Attacks in the Field: Recommendations for FINRA Regulated Firms
December 13, 2019
Advisors and agents are using mobile devices to communicate with customers and prospects today more than ever before – for good reason. Using mobile devices for work can save 58 minutes per day while increasing productivity by 34%* and texting is the highest rated contact method for customer satisfaction compared to all other communication channels. Your field sales team is also always on the go. They will use mobile (their own phones/BYOD, of course), and you need to secure it.
With the rise in popularity of mobile technology, security attacks have increased as well. The total economic risk for mobile data breaches to a firm in a year is $26.4 billion.** In addition, 67% of organizations report they had an actual data breach as a result of employees using their mobile devices to access sensitive company information.***
FINRA recognized the issue in a 2018 report, showing key findings from their member firms. Some of the threats they’ve identified have been malicious advertisements and spam communications, and infected, cloned, or pirated mobile applications. They’re seeing vulnerabilities in mobile operating systems; fishing, spoofing, and rerouting of calls, emails, and text messages. You name it, the threats are out there.
Let’s take a look at today’s six most common mobile end-user threats and recommendations for how-to mitigate them, based on Hearsay’s 10 years building compliant mobile apps for financial service firms, as well as FINRA best practices.
The Modern Mobile Threat Landscape and Protection Recommendations
THREAT: Poorly Configured Mobile Devices. With BYOD, you need to watch out for phones running outdated, vulnerable software, devices that are “jailbroken,” and poorly configured device-level PIN or biometric security.
RECOMMENDATION: When selecting vendors with mobile applications, be sure their platforms automatically update with the latest security measures and that they have application-level security, with a unique PIN or biometric authentication to access private conversations and data.
THREAT: Personally Identifiable Information (PII) Data Leakage. There’s so much information being shared via SMS, advisors or agents may not realize all the tidbits of personal data they release over time via SMS can be used to create Personally Identifiable Information about themselves or clients for use in more advanced attacks.
RECOMMENDATION: Put a compliant texting solution in place. Leverage a compliance platform with keyword lexicons and automatic message blocking to prevent PII from going out in texts or alert compliance teams if it does to stop repeat offenders.
THREAT: Accidental Disclosure and Loss. When mobile devices (from laptops to phones) are lost are stolen, or advisors/agents accidentally send sensitive information to the wrong person, incidents can occur. Or in the case of one of our clients, a ‘toddler attack’ where a random mashing of buttons caused not sensitive but definitely mistaken information to go to the client!
RECOMMENDATION: Leverage in-app PIN or biometrics as a second layer of security as a second line of defense, in case the device itself is not secured or someone finds the device unlocked. Use a single source of truth for customer and prospect contacts, like CRM, to ensure advisors/agents are always sending to the right person, with the most up to date contact information.
THREAT: Smishing. Advisors and agents are less aware of these phishing attacks sent via SMS, and are more likely to engage and share personal information.
RECOMMENDATION: Auto block spam for SMS and voice calls. Create org-wide blacklists. Educate your employees on the threats of SMS-based phising attacks.
THREAT: Lack of Remote Security and Access Management. The unauthorized or unintentional modification or misuse of any organizational assets and/or information occurring because lost devices retain access to private data, or employees who were fired, let go, or quit still have access to their devices. In a BYOD environment, how do you get data off a person’s personal device? How do you do it remotely if you don’t physically have access to that person or that person’s device, especially in this distributed field team model we’re seeing it firms today?
RECOMMENDATION: Integrate mobile apps with corporate SSO for verified sign-on and use APIs or admin dashboards for remote deprovisioning of devices from accessing client and corporate data.
THREAT: App Overload. End-users and IT managers being overwhelmed with numerous apps and accounts to manage. Can lead to reduced security controls to manage complexity.
RECOMMENDATION: Consolidate app vendors by looking for providers with multi-channel capabilities. Leverage a unified supervision dashboard for compliance review across Social Media, SMS, and Voice Calling.
Can’t I take care of all of these with MDM or EMM?
Mobile Device Management (MDM) solutions can mitigate many threats and there are several versions of Enterprise Mobility Management (EMM) out there. However, putting an MDM around or a MAM (Mobile Application Manager) around an insecure application will always be inferior to having a secure application. Even if you have device level controls, you still should be thinking about what kind of data is getting sent to that app, what kind of data the user has access to, because there are very few MDMs out there that can prevent folks from something like taking a picture of their phone screen with another phone. In addition, if you’re trying to deploy a mobile strategy to the field, particularly, a distributed field, time to value may be compromised if you need to put that behind rolling out an extensive EMM or MDM solution. We believe that having the right application controls in place gets you 90-95% of the way there. In the end, MDM can be a solution, but it’s not the whole story.
Want to learn more about Hearsay Security?
* Frost & Sullivan – The Smartphone Productivity Effect
** IBM – 2019 Cost of Data Breach Report
*** Gartner – Mobile Device Security Study