With data breaches costing upwards of $3.86 million , prevention is better than remediation. We recommend that Financial Services organizations use this checklist for developing a mobile security strategy:
Outline the requirements based on the use cases for mobile:
- What are you trying to enable employees to do on mobile—access email or access sensitive databases? Segment data so access can be granular.
- Evaluate your use cases and define requirements for your mobile workforce.
- The above requirements will inform your device ownership model—which device types will you support, who owns them, and how are they managed?
Deploy a UEM for device level control
- If appropriate, deploy a UEM solution that will enable you to provision devices with corporate resources and undertake ongoing device compliance checks.
- Regarding connectivity and cloud applications, determine what you need to know about users, devices, networks and apps before you grant them access to corporate resources.
Define acceptable use
- Review your existing acceptable use policies and ensure that mobile is incorporated.
- Implement an acceptable use policy for each appropriate subset of devices to control shadow IT and unwanted usage and to ensure regulatory compliance.
Expand access management policies to incorporate device risk posture
- Implement a mobile-friendly IAM (Identity and Access Management) solution for authentication to corporate apps
- Incorporate mobile risk assessments into your IAM policies to ensure that device risk posture is considered.
- Ensure risk posture is continuously evaluated for the duration of a session.
Deploy a Mobile Threat Defense Solution (MTD) to protect against cyber threats and usage risk
- Ensure that your MTD solution has a strong endpoint detection capability and an in-network architecture to prevent attacks before they get to a device.
- Ensure that your MTD solution can address both external cyber threats (like phishing, man-in-th-middle attacks, malware) and usage behavior risks (side loaded apps etc)
- For all security tools, ensure appropriate configurations are made to address the threat vectors that are appropriate to your business while respecting the privacy of your end users.
- Evaluate the MTD’s machine-learning capability to understand how the threat engine identifies and protects against new threats.
Revisit this list often and consider what changes need to be made based on the following:
- Changes in company size and composition, eg. mergers or acquisitions
- New regulations that affect the way you handle data
- Evolving IT strategy
- Threats that you have seen affecting employees
- New applications employees need to get their jobs done