If you’ve read our Mobile Security in the Financial Services Report, you’ll know that there are a bunch of new trends and threats that are causing headaches for IT and security professionals in the Financial Services.
Of Financial Services companies:
|have experienced a mobile phishing attack||have experienced man in the middle attacks||have sideloaded apps installed|
In our on-demand webinar, Dr Michael Covington, VP of Product at Wandera, does a deep dive into the findings from the report, delves into some of the misconceptions around mobile security and what Financial Services companies can do to better protect themselves against mobile threats.
Today we’ll be discussing the state of mobile security in the financial services sector.
With the industry known for innovation and really being on the leading edge of technology, it’s also known as being one of the most highly regulated in the world.
And it’s also frequently targeted by hackers because of the high ROI that comes from a successful breach.
In today’s discussion, what we really want to do is take a look at the key trends that are shaping the industry. As part of this, we’ll dive into the specific issues surrounding the broad adoption of mobile technologies by organizations, really across this vertical.
And I think the real focus for today is going to be around an analysis that we’ve done of real-world data that hopefully helps us to better understand the risks that are faced by companies who are enabling a mobile workforce within financial services.
So, without further ado, let’s go ahead and get started. And I think it helps to start by setting the scene and really making sure that we understand the context around mobile adoption.
And for me, it really revolves around digital transformation.
This may seem to many of you like yesterday’s news, but our conversations with customers in the financial services sector really lately have been revolving around digital transformation. It seems to be hitting an accelerated stage of adoption, or maybe implementation.
And while mobile is just one component, it really seems to be one of the key drivers of digital transformation with fin. serv. companies.
All aspects of the industry are innovating. I think you’re all new ways to make spending, managing, investing money easier to do before the impact on consumers is obvious. You can look at examples like Venmo and Apple Pay, and you really see more and more consumers moving to digital currencies, digital deposits, even digital investing.
And it’s really forcing, I think, the entire industry to rethink the concept of how you interact with your customer and everything that goes along with that.
Of course, digital transformation isn’t just about consumers, and if you boil digital transformation down to the essentials, there are really four key pillars that I think help show the impact this concept is having on all organizations across the sector — variety of sizes and kind of focus areas.
And I think these pillars also help us see the security risks that are brought on by digital transformation. And so if we look at these four key areas, I’ll highlight what the objectives are and very quickly where I think that there may be some risk. And what we’ll do from here is we’ll start talking about some of the key technology trends that are impacting mobility specifically.
So I think one of the key components of digital transformation is around employee empowerment. Employees really do need to be empowered to do their best work from anywhere at any time and specifically on any device, typically of their choosing.
Mobile technologies give workers freedom. It gives them a freedom to work seamlessly and from any device because it enables them to have access to the tools they need to get business done.
Of course, this new ability to access information from anywhere makes protecting your data wherever it goes a high priority, so you really need to start thinking about information that leaves a protected environment going out into the unprotected world, and you need to think of new ways to follow it and to make sure it’s protected as it’s in transit and as it’s in rest being used by your employees.
Another big aspect of digital transformation is around customer engagement. Obviously customers are expecting new levels of connections with businesses they partner with and purchase from as technology becomes even more integrated with our everyday lives.
Customers are expecting deeper personalization and they want to be able to connect with the business in ways that they haven’t done before.
I think this is where digital transformation really changes the game when it comes to risk assessments, because with all of this constant connection, personalized interaction, comes a need for more, kind of, respect around customer and consumer privacy.
And it also implies that there’s an incredible amount of, more of sensitive data that is being collected. It now needs to be managed and secured by teams that, quite frankly, are already stretched thin.
And as you start to think about new devices that they have to support, and even more databases of sensitive information that they have to protect, digital transformation starts to really show that there’s a strong security component that needs to be considered in order for it to be successful.
Moving on with our pillars, optimizing your existing business operations is obviously a very big part of digital transformation. You need to figure out where information is going to be stored. What your goal here is to ultimately reduce the cost and complexity of IT management. The move to the cloud is one of the things many organizations have done, they’ve already implemented it or they’re currently looking at, and financial services here is no different.
I do think that with financial services though, there’s a need to effectively manage risk and monitor regulatory compliance as you make moves that help you optimize your operations.
Obviously, introducing third parties, moving data out of an area that you control and into the cloud, is something that brings new forms of risk that the industry has not previously dealt with.
And last but not least, digital transformation is really about transforming the product and the services that you ultimately offer to your customers.
A big, big part of this is about data analytics, and making it so that your company has a better understanding of who you’re interacting with, your route to get to that customer, and across all of these pillars, what we really see is a strong need for data protection and security in order for your companies to be successful in your digital transformation program.
So risk management is really essential here.
And I think as we look at the trends that are impacting digital transformation, there are two key areas of technology that really stand out for me as we talk to customers.
And what they’ve adopted over the last two or three years, and they’ve really started to implement into the standard course of doing business, and these are probably fairly obvious to the group that’s on the phone here today, but the first is the expansion out from traditional compute devices, think desktops and laptops, into other form factors that are highly mobile and enable employees to access information on the go.
We already know, this happened two to three years ago, that mobile devices now make up the majority of internet traffic.
Key Technology Trends in Financial Services
I think what’s really interesting within financial services though, as you look at, the broader adoption of mobile, it’s no longer just the c-suite or just executive management. You pretty much have entire organizations that are now enabled with mobility.
And within financial services there’s a really interesting trend. And the trend, I’ve got a stat here from Forrester, is that choice matters. And when it comes to choice with devices, we often see organizations choosing to let the employee choose their own device and bring their own device into the workplace.
This has great implications on security concerns as we get a little bit further down to the presentation, but let’s just talk about the reasons behind this. The first is obvious: it removes an equipment cost, so the organization doesn’t have to worry about purchasing a whole variety of different devices that employees want.
The second piece here is around legal liability. We actually know that if employees use mobile devices to carry out any illegal activities, like insider trading, it can be an issue if it is a work-owned device.
So IT teams that are starting to investigate BYOD are really trying to walk a fine line between protecting corporate data, as they enable those BYOD devices to
access more applications, and respecting end-user privacy as they figure out what the right tools are to manage those devices without inspecting too much private content of their employees and their workforce.
The other side of the equation is around cloud applications. And we’ve already talked about there being a general shift towards the cloud computing model.
And I think for some of the traditional financial services incumbents, the cloud offers an infrastructure that’s agile, it helps you compete with nimble challengers, but it also brings a whole bunch of things to the forefront around compliance, legal issues with where the data is housed and maintained, that your teams now need to start to deal with.
Nevertheless, we see some really interesting trends. Forbes has a stat that by 2020, 83% of enterprise workloads will be in the cloud. What we see is financial services is probably around the 50% mark, and there are some forecasts that that will not change too much, that there’s going to be very much a multi-cloud, hybrid world that financial services firms live in for quite some time, where uber-sensitive data remains within the data center, and as you slowly relax policies, as you get your heads around some of the growing compliance, regulatory issues that are cropping up globally, more and more data will be moved out to either public cloud or private cloud.
And so being able to maintain operations across, really, all three of those different data stores does present a challenge to IT. It also makes connectivity from mobile interesting.
You need to start exploring what technologies will allow you to provide connectivity in a way that introduces the least amount of friction, but also provides you with the assurances that the data isn’t being compromised and is only being accessed by those who deserve it. And we’ll talk about that as we get a little bit further along in this presentation.
The regulatory challenges in this environment are second to none. I think the financial services industry is really, no doubt, one of the most highly regulated in the world. And as new technologies continue to emerge, governments are constantly adapting to figure out what they need to do from a legal perspective to make sure that the right data is protected in the right way.
And I think what we’ve seen over the last one to two years is a real focus on privacy, consumer privacy in particular. We saw GDPR really put a lot of pressure on global organizations to make sure that they understood where their data was housed, that they were taking the appropriate measures to protect it. And this was not just about customers of businesses, but also employees.
So privacy has really been at the forefront of conversations over the last one to two years, especially where now what we’re seeing is moving out of the EU over to North America. In the US we saw California come up with a privacy act, it was signed into law just last year in June. We saw the Gramm-Leach-Bliley Act, which is a federal law that was put into place. We’ve even seen about 20-plus different states come up with their own privacy-focused legislation.
And regarding our previous slide, where we were talking about cloud adoption, one of the things I’ve seen that’s really interesting is that in Europe, the European Data Protection Supervisor, the Information Commissioner’s Office, the European Banking Authority, they’ve all published guidance on the use of cloud service providers, with the EBA in particular focusing on guidelines for financial services.
So there are a ton of regulatory issues out there that your organizations need to understand and figure out how you can put that into practice, because we are seeing that just about every nation and international body is trying to figure out the best approach to protecting digital-centric economies.
And so regulatory compliance really becomes an important issue here as you move forward with your business.
An Industry in the Crosshairs
I think there are some really interesting stats that have come around in the last 12 to 18 months that really show financial services is really at the focal point when it comes to data protection and the impact that breaches are actually having on economies and even on individuals.
RPC, a London-headquartered law firm, did some research that showed that just last year, the frequency of data breaches that are being reported has increased significantly.
We saw in 2018 an increase of 480 percent of the reported data breaches coming from UK financial services firms. And to kind of couple with that, there was some work from Accenture, when they published their cybercrime study, that showed that the average annual cost of cybercrime for finserv Firms amounted to a little over 18 million dollars.
So the cost is incredibly high on businesses, and the frequency of these attacks is increasing.
And, you know, I hate to call out individual brands, but I think it’s very helpful to look at some of the recent breaches and really the breadth of the impact that these breaches are having around the globe.
I think one of the really interesting ones that came out recently was around SunTrust Bank’s, where a former employee actually was responsible for stealing names, addresses, phone numbers, account balances, that impacted one and a half million customers.
We also saw that outside attackers, so it’s not just an insider problem, but outside attackers managed to gain access to Royal Bank Canada’s travel rewards website, stole payment card data that belonged to 66,000 customers. And hackers infiltrated HSBC’s infrastructure, we’ve seen some data just on the US impact, I don’t know what the full global reach is but here they stole names, addresses, contact information, birth dates, account information, transaction history.
It’s a huge amount of data that is out there now on the black market, available for anybody to purchase. The cost of these breaches on fin. serv. firms is high, but the reward for attackers who are successfully breaching these data stores is also incredibly high.
So there’s a big reward and an ROI, so there’s a certain motivation for attackers to be choosing financial services firms as targets, and I think what we really want to do moving forward is figure out ways that we can better lock down this data as it moves away from that kind of protected core of the perimeter and out into the broader internet.
So as we adopt cloud technologies, as we move more of the sensitive information out to mobile, what we really want to do is make sure that we’re taking the right steps to protect it as it’s out in the wild.
Considerations in Financial Services
There are a couple of key considerations that our customers are talking about specifically within financial services that I think is helpful to highlight, and maybe some of the things that will come out through the questions is kind of where your firm has concerns.
One of the things that we hear most often is a desire to protect sensitive data, anywhere it goes. We know that with the directive that came out within the EU, the Markets and Financial Instruments Directive, MiFID, that there is tighter regulation on how companies within the EU record interactions between companies and clients.
And so there’s, I think, a strong push to have monitoring capabilities for all phones and electronic communications, and our customers are interpreting that as including mobile as well.
So there are a couple of obvious areas here that mobile is immediately impacting, and that’s email and telephone calls.
Those are kind of the basics. But I think what’s interesting here about this new compute platform is that we have a whole bunch of additional challenges that come into play.
There’s the cloud and file storage apps that are built into these devices. I’ve seen in other industries, like in healthcare, where electronic medical record information is inadvertently stored into a public cloud service because of the way the phone was configured.
Similarly, within financial services, I’ve seen examples of the sensitive, protected, pre-IPO discussions occurring over text messaging, that was not kind of within IT compliance or regulatory compliance from a specific organization.
We’re even seeing tools like WhatsApp being utilized to handle really sensitive client exchanges.
And when you look at this list, the attack surface is expanding significantly, because we went from a very tightly contained set of applications that were being utilized on desktops and laptops, and as we expand it into these other devices, many of which are not even IT standardized, when you look at a BYOD environment, there’s an incredible amount of pooling that’s out there that organizations now need to get their heads around managing access to data.
And as we see digital transformation expand, one of the things I’m expecting to see is a broader use of what I’ll label as ‘line of business’ applications.
Right now, the majority of our customers are talking about applications that they are getting from the public app store, that have access to sensitive client data.
Where we know they are moving, over the next two to three years, is with the introduction of not just tens, but hundreds of custom internal applications that are built for specific tasks within the organization.
And so trying to figure out how you protect an email marketing application and a helpdesk application, which would have access to those internal databases, again hosted across a multi-cloud environment, is really, really challenging with today’s tool set, and hopefully some of the things that we’ll talk about in the next few slides will give you some ideas on how some of our customers are looking at protecting this data as it moves around this very kind of complex and changing world.
The other thing I’ll note very quickly is around ensuring consistent policy and access for all workers. I think all too often when we talk about digital transformation, when we talk about enabling a workforce, we automatically just think about the employee.
And not everyone performing work for an organization is a full-time employee.
We see a lot of temporary workers, we see a lot of specialized contractors, and we know that within fin. Serv. that you rely heavily on these specialized workers who are not with the business at all times.
And what this means is that there’s a challenge around setting rules in place, monitoring who has access, and doing so an environment where you may not have control of the device, and furthermore you may not be able to mandate certain management software be installed on that device.
And so being able to keep tabs on the different types of workers and maintain realistic access policies is something that we want to certainly enable in this new world moving forward.
The last thing I’ll note before we get into some of the numbers is around travel and the reality of financial services advisers, people who are on the road to talk to customers, who work in mortgage and loan management, etc. — we see lots of travel. Not just within a small little region, but also around the world.
And with this travel, we have a heightened awareness around the need for extra security around the utilization of public Wi-Fi.
So whether an employee or a worker is in a hotel or using a coffee shop Wi-Fi, that access to sensitive content, that data being brought down to the device over that infrastructure, presents a challenge for a lot of organizations, or at least a heightened awareness around a need to do something about that infrastructure that they have zero control over.
I think that there was some inherent trust previously with mobile devices that only use the 3G or 4G connection, but as we see more and more public Wi-Fi spring up, as we see 5G technology really enabling I think a fabric of connectivity, there’s more awareness around a need to watch for threats within the infrastructure.
And that’s really looking for essentially protocol attacks and hackers that have compromised the infrastructure directly to essentially spy on these communications.
Mobile Threats in Financial Services
And so when we look at data from our customers that have utilized our service over the last year plus, there are some interesting things that surfaced for us as we started to compare threat encounters within financial services with customers that are within other verticals.
And there are some clear takeaways here in terms of what organizations need to be doing around protection against the threats that really are starting to spike, specifically targeting mobile workers.
Mobile Phishing in Financial Services
First is around mobile phishing, and I’d say that mobile phishing in particular presents the number one threat to a mobile worker and a mobile business.
And the reason for this is that the mobile operating systems, they’re continuously improving, and what we’re seeing is that the human remains the weakest link.
Organizations, probably most of your organizations, have invested very, very heavily in phishing protection. But that phishing protection is limited to corporate email.
If you think about all the communication tools that are on a mobile device, you’ve got text messaging, you’ve got social media, you’ve got other ways of an attacker getting a link across to the employee that can be scripted and to look very real, what we’re seeing is that more than half of financial services firms are actually encountering phishing events outside of email, close to 60 percent actually, whereas other industries are at about 42 percent.
What’s really interesting though is when you start to look at the by-device numbers. So we see that within financial services, we’re at about 4 percent of devices, or users in this case, encounter mobile phishing, whereas a little over 6 percent in other industries do.
What this tells me is that we have more targeted attacks occurring within financial services.
We are seeing more and more organizations being hit, but within those organizations it’s a few select group of individuals typically, within the c-suite, typically people with heightened access to certain types of data.
And so mobile phishing I think is an area to continue to watch, there are some really interesting stats out there that suggest that about 69 percent of financial services companies recognize phishing and spearphishing is a meaningful threat against their organization. I can tell you it will only heighten from there when you start looking at mobile.
And we also know that there are some stats out there, which we’ve covered in our report, that show that financial services is significantly higher in terms of click rate where employees do action these links more than any other industry that has been surveyed.
Mobile Malware in Financial Services
I’ll move next into malware, I think malware is an area that most organizations are very, very concerned about when it comes to mobile.
There’s a very strong belief that there is a lot of malware out there that users can download from these app stores, and there are great examples out there.
Wandera in fact had discovered something about two years ago that we call ‘Red Drop.’
Very sophisticated piece of malware, 53 dropper apps that did everything from spying on the user to implementing blackmail. But when we look across the board, when we look globally at financial services organizations, and even other industries, less than 1 percent of organizations are actually being impacted by mobile malware.
Now this is not to say it’s not a problem, but it’s not as widespread as you might believe. In fact, there are far more samples of generic malware that’s been built and distributed for Windows platforms that are traditional within the enterprise than there has been for mobile.
And when we look at the device level, it doesn’t even raise a blip. We see next to zero percent of devices that are actually being impacted by mobile malware.
What this means is that there are very sophisticated samples that are out there, the ones that make the news tend to be very targeted, they have evasive characteristics, but broadly speaking, your mobile workers are unlikely to encounter a mobile malware in today’s environment.
Vulnerable Mobile Applications in Financial Services
One other thing that I wanted to mention as we’re kind of coming off of the discussion around malware, it’s the discussion of vulnerable applications.
These are applications like WhatsApp, which we saw just a couple of months ago, which have significant meaningful vulnerabilities that put data meaningful risk, but were not built to be malicious.
This is an app that can be exploited, there are other examples that are out there, even iMessage just recently had a similar vulnerability that could be remotely exploited by an attacker to compromise the sandbox on iOS and steal data from the user.
The reason I mentioned vulnerable applications is that I think it’s important to look at them in the context of malware, to understand that there are bad apps that are out there that need to be effectively managed, and it’s also important to understand that when it comes to applications on most mobile platforms today, you are at the mercy of your users to force an update.
And so what I wanted to do is just show you one example with WhatsApp.
Looking back, this is earlier this year when the vulnerability was announced, I believe it was around the end of the first quarter, we had one customer that on one particular day had 5,000 vulnerable devices. These are 5,000 devices within their organization of about 6,000, that had not been updated after the news had hit.
What was interesting to me on this one particular day when I looked at the data, this was one week after the news cycle, so one week after we had still about 80% of the devices within this customer’s environment still vulnerable to attack.
And so I think vulnerable applications really highlight for us where we have some serious complications for IT professionals, because on most mobile platforms today, you don’t even have visibility into what application version is installed.
So what we want to talk about a little bit later we get to recommendations is how you might be able to get a handle on this with some additional tooling if you don’t have it already.
Cryptojacking in Financial Services
So other data points around some of the financial services study that we did — cryptojacking, of course this is where the device downloads certain capability to do cryptomining, benefits the attacker, does nothing for you or your employee except drain the battery quickly and provide a very negative user experience on the device.
I think because of the nature of the attack and the way it’s delivered and the types of sites that it tends to be hosted on, we see financial services impacted pretty significantly here. Close to 30 percent of organizations have experienced a cryptojacking event just within the last year. And similar to our mobile phishing incidents, we see it being a select group of users.
About 1 percent of devices encounter cryptojacking, whereas a little over two and a half on other industry areas. This again is a threat that manifests itself very, very differently on mobile than it would on a traditional platform like a desktop or a laptop.
Man-in-the-Middle Attacks in Financial Services
The last stat I’ll talk about around actual attacks, and this is going to be one focusing on man-in-the-middle attacks and protocol attacks, essentially an attacker trying to take down your SSL encryption to spy on data.
Here we see the financial services firms, a little over a third of organizations are encountering man-in-the-middle attacks on a fairly regular basis, about 5 percent of devices, whereas in other industries it’s about a quarter of organizations and a smaller percentage of devices.
I have to say I’m not entirely surprised by this.
I think that financial services employees, you see a high number of incidents associated with man-in-the-middle attacks because we know that the financial services employees tend to travel more, and you are encouraged to utilize public Wi-Fi because of the cost of international roaming, so there’s that, important trade-off that the business needs to have a discussion around, regarding how do you provide connectivity in a cost-effective way while not introducing too much risk that the business can’t adapt to.
Configuration Vulnerabilities in Financial Services
A couple of other stats just to round out our conversation here, these are numbers around configuration vulnerabilities, or issues that can be built into the device,. don’t necessarily represent an exploit or an organization under attack, but I think they’re helpful to understand how you may compare to your peers.
We see about a third of organizations within financial services using out-of-date operating systems.
A year ago this wouldn’t have concerned me much, but over the last six months we’ve seen a lot of issues make their way into mobile operating systems in particular, and we’ve seen this impact all flavors of mobile OSs. And so what we’re seeing is both iOS and Android and even some of the new mobile Windows 10 platforms being quite vulnerable to this.
Jailbroken devices used to be an issue. I don’t see it being as much of an issue anymore. I think that users have enough flexibility with the newest versions
of the operating systems, operating systems have evolved to really control data access quite well, so we don’t see users really being driven to do jailbreaks as much as they were previously.
We do see users tempted by side-loaded applications though. These are applications that don’t come from the official app stores.
This is not typically about shadow IT, it’s about getting access often to pirated content, and this is an area that I advise a lot of our customers to pay close attention to, because this is where unnecessary risks often comes into the organization.
And then, last but not least, I’d be doing you a disservice if I didn’t talk about lock screens. It seems to be the most basic of security measures, you assume every device has a lock screen set.
We see about a third of financial services organizations having devices without a lock screen. And it can get close to 10 percent of devices in some cases. Oftentimes this is led by senior leadership and people follow, they want to have quick access to information.
It’s really important to have compliance policies in place to ensure that lock screen stays in place because it’s the easiest of the physical protections that you can put into place.
In the interest of time, I’m going to quickly go through the next set of recommendations. I’ll note that the report that we published goes into each one of these in greater detail.
One of the things that I’ll note up front is that when we go through our recommendations for financial services firms and we give guidance on best practices that we’ve seen from customers, we start with a couple of basics, this is a bit of pre-work before you go into implementing your mobile strategy and your mobile security solutions.
These typically begin with outlining requirements for what it is that you’re trying to achieve with your mobile use cases, specifically what are you trying to enable employees to access, what is your device ownership model.
I think it’s very, very important that organizations document this and evolve that documentation over time so it’s very clear what applications people will have access to over mobile and specifically what subgroups of workers will have access to sensitive data.
We also recommend customers define an acceptable use policy that incorporates mobile. All too often we see them ignoring the mobile component and assuming workers know what’s appropriate and not appropriate on mobile.
If you haven’t documented an AUP yet that is mobile-specific, highly, highly recommended.
As we get into some technical recommendations, I think that there are three key things that we want to try to call out here.
Moving from the statistics that we just reviewed, it’s really important that we look at some form of endpoint management so that all of these new devices that are coming into IT, that they have a way of being configured and standardized as they’re deployed out to workers.
We’ve even seen managed BYOD, so don’t think that management is only for corporate-liable device devices.
We also see a lot of the more progressive and security-conscious organizations within financial services already having deployed Mobile Threat Defense. If you haven’t looked at it yet be sure to look and understand how Mobile Threat Defense complements endpoint management and adds a very essential security layer on top of device management to help protect you and your users and your applications from any form of outsider threat.
And just to give you a really quick overview of the Wandera solution, this is not meant to be a full in-depth review here of what our solution looks like, what you really want to do is think about mobile security in two components. Think about the endpoint and the types of things that you would do on any mobile device.
There are different kinds of policies that you may turn on for corporate-liable versus BYOD, but it’s really important that on the endpoint you understand what vulnerabilities might be exposed, what applications are there and do they present a risk to your organization, and the networks that the device is attaching to. Are they protected? Are they secured? Or could there be a man-in-the-middle attack?
We also encourage you to think very strongly about what the network would look like.
The Wandera solution includes an entire network suite that helps prevent access to zero-day phishing attacks, that prevents your users from accessing web threats like malware that they could download to their device. And your network suite should also provide benefits to the end user.
On the Wandera side, we actually help protect the privacy of their end-user by encrypting all their browsing habits so that infrastructure providers can’t build profiles and market to those employees and workers that you’re trying to protect.
From a manageability perspective, it’s important that Mobile Threat Defense tie in with your existing investments. Mobile Threat Defense can’t be a separate console that you manage entirely separately, because that would just require you to have additional staff.
On the Wandera side, we have very strong integrations with UEMs to make device management and lifecycle management very smooth, SIEM to enable workflows with your security operations center.
And then also we do very strong compliance reporting, so that your IT teams can go into one report within RADAR and hand it off to your legal team who’s responsible for maintaining compliance documentation.
Beyond deploying the UEM and the MTD, I think what we also recommend for financial services firms in particular is to configure security policies to actually prevent threat. Don’t just think about monitoring, because the scaling to all of these new devices, we’re now at about three devices per user, and the events that they see is almost unscalable.
And just to give you a couple of examples of some of the things our customers are doing around policy, we’ve got an insurance firm on the service who has both Android and iOS devices.
They have a UEM, but they’re using Wandera to actually vet the applications that are being installed on the mobile devices, which allow them to control the different permissions the applications have and ensure that there’s no threat coming in with the connections that these applications are making out to the internet.
So you can build an entire workflow around application vetting that is manageable and allows you to have policies in place that ensure that no unapproved apps are being introduced into your environment.
We’ve also seen a lot of customers implement policies around mobile phishing.
Why circle back to a user after they’ve clicked on a link and lost their credentials when you can block them in the first place.
So many good examples of phishing — and by good I mean very compelling. These are actual screenshots of real mobile crafted phishing attacks that we have seen across our customer base. Top brands, we see Apple, Google, Facebook, Office 365, Salesforce and a lot of banking brands.
The attackers are not just after your corporate credentials, they’re after your users’ multi-factor credentials or the services that they utilize to get two-factor credentials sent to.
They’re also after personal banking credentials. We’ve been seeing some mobile banking malware crop up in certain geos just over the last couple of weeks, which I think is quite interesting and relevant to this audience.
And then finally, there are a number of customers with a global reach, in particular, who have executives that travel around the world, as we’ve discussed, and are very concerned about man-in-the-middle attacks.
I think one of the things that I can say here is that it’s important that you not just be able to detect man-in-the-middle attacks, but you’ve got a mitigation strategy.
With the Wandera service, what our customers are doing is they’re actually flipping on a service that ensures that anytime that there is a man-in-the-middle attack that’s detected, the connection is simply encrypted.
What that means is that your workers can continue to stay connected without the need to lose connectivity because of the detected presence of a threat.
And in this particular scenario that we’ve highlighted here it’s a global bank that’s activated the service for their executives. They actually have a hybrid model, so here they’ve got BYOD and COPE devices. COPE are managed by the UEM, the BYOD devices are not. There’s a certain reason within this environment why that’s the case. They are still able to deploy this technology and they’re still able to manage those policies centrally.
So something I highlight to think about for those organizations that haven’t adopted this technology yet, you can implement it in a way that spans different use cases, different ownership models, etc.
The last technical recommendation that we have for organizations that are deploying MTD, that have configured policy, is to then tie in that protection with your access policies.
And what that means quite simply is when you have data in the cloud that you want to keep protected, and you’ve already invested in a threat defense solution that sits on the mobile endpoint, why not tie those two things together?
And what that means in the Wandera world is that we’ll do a risk assessment of the endpoint.
We will prevent the threat when you’ve configured that policy. But should anything about that device cause the risk posture to change, when access is requested to that cloud resource, we can actually implement something called Conditional Access that prevents that device from having access until the risk is improved.
But what that means is that your teams, your IT teams, do not need to deal with each and every malware event on the endpoint. I’m sure you would love to, but you probably don’t have the capacity to do it.
When there is ability to continuously assess risk means that at the most critical moment, when malware is on the device, we’re able to prevent it from accessing the data that you care the most about.
This really changes the dynamics of the conversation. Instead of being endpoint focused, we’re now application and data focused, which I think is important to many of you, at least that’s what’s been expressed to us from our customers.
Finally, as we look at the technical recommendations and the pre-work that is recommended, the last thing I’ll note here is that it’s very very important to revisit all these recommendations and your decisions often.
Typically, what we like to see is organizations, about twice a year, just get in and make sure that you’ve got the right written policies in place, and that secondly, you’re implementing them correctly with the tool sets that you have available to you today.
So I think that brings me largely to the wrap-up section here, we’ve really gone through I think a number of the key drivers and the context that we’re seeing within the financial services sector.
We’ve gone through some of the data that’s come out of a real real-world study, looking at specific customers within this vertical and the types of threats that they’r encountering. And we’ve gone through some recommendations.
Of course though, the full report is available on our website if you’d like to dig into that some more.
This is a good time to take some questions.
I saw one question come across, around: ‘’What would I say are the biggest threats to businesses using mobile technologies for business communications?’
You know, there are a number of threats, and it would be unfair for me to just single one out, but the one that I do highlight and emphasize the most is mobile phishing. I think so many organizations feel as though they are protected because they’ve invested in a corporate email focused solution.
The thing you need to remember about mobile is that most organizations encourage end users and workers to really utilize that for both business and personal. Once you’ve done, that once you’ve allowed multiple communication tools to be on that device, you open up mobile phishing across a variety of vectors that you hadn’t previously considered.
The other area, the other threats that we tend to look at, a lot are around man-in-the-middle attacks, and I have another question here about that I believe, and we see organizations who really want to protect that data as it’s in transit to the mobile devices. And vulnerable applications. It’s not an area where there’s an outside threat necessarily, but it’s an area that could be exploited if you don’t keep it under control.
The question about the man-in-the-middle, looks like it’s a CISO who believes that they have issues with man-in-the-middle attacks, and they’re saying it’s challenging to scale to the number of risky hotspots that they believe are out there, they want to know if they should be forcing users to use cellular all the time. You know, I think this is a mindset that we see with a lot of customers prior to investing in a security solution for mobile.
If you don’t have anything on the endpoints and you’re not looking for man-in-the-middle attacks with a solution, I think you may want to make that recommendation to your users to avoid using public Wi-Fi. There are just too many unknowns out there in that unmanaged infrastructure.
But what that does is introduce significant cost, it means that they eat away at the data that’s been allocated to them or they incur unnecessary roaming costs. You can use public Wi-Fi responsibly, if you have the right tooling in place. And so I think that’s what we’re seeing from a lot of customers that are out there.
There’s another question here around data exfiltration, and I can tell you from the data that we didn’t present today, but data that I know from just looking at it recently within our platform, we see an incredible amount of command and control traffic and data exfil. attempts from mobile.
It’s really interesting, you would think that that data would imply a prevalence of malware. What it actually is is that apps that have opened up a channel for advertising that’s actually being used for command and control.
So the routes that the attackers are taking to the mobile device are actually quite clever, and through the right policy you can block those types of network connections. And so data exfiltration is something to be aware of and it is oftentimes tied to malware which is surprising.
I’ve got one more question here that I think we will run through and then we’ll call it at time, and this is around security policies for contractors without managed devices.
You, know I think the recommendation for me is to think of contractors and think of the users who do not have UEM installed on their endpoint, just treat them like BYOD.
You can offer them a security tool, like Mobile Threat Defense. If you configure policies like those that are available, with Wandera and our access management with Conditional Access, what you can do is actually tie the risk assessment of that device with the cloud access.
Meaning you get a security tool on the endpoint that ultimately is an enabler for the user to access the resources they need to get their job done.
So it really does start to change the conversation. You have workers around the tooling that’s on their device, security tools are not just about blocking and preventing them from having access to things that can actually be utilized to enable access to services that you, as a business, are trying to to activate.
And I think with that we will call it a day.
I thank you for the time, and if you have any additional questions, please reach out to our team. We look forward to connecting with you again.