Content, Content, Security Program Controls/Technologies, Distributed Workforce

Symantec Mobile Threat Report: One in Four Devices in Financial Services Isn’t Safe

You’d expect by now, well into technology’s cybersecurity age, we’d be numbed by new attacks, whether aimed at industries, platforms, companies or individuals. But luckily we’re not, nor should we be. Still, we may need continued prodding to change our behavior for the better.

Seemingly every day there’s word of another foray fired by malicious hackers exploiting one vulnerability or another. Fill a hole in the dyke, club a mole, and another bores in before the cement is dry or the dirt has settled. For cyber defenders, it must be simultaneously maddening and intriguing, an incessant challenge not unlike air traffic control. For the rest of us, thankfully there’s still shock value left to spare. Were we but onlookers, the vigilance required to rebuff the bombardment would no doubt elude us.

Financial Services: Missing Mobile Patches

Commanding the discourse are security providers. Now here this, Symantec wrote in a new blog post: Some 25 percent of mobile devices used by financial services employees are absent the necessary patches to stitch vulnerabilities. The data comes from the vendor’s Q2 Mobile Threat Intelligence Report: Mobility and Finance, in which the company raises the very large issue of trust in our banking institutions.

It’s a potentially shattering question but that is the ultimate point of cybersecurity attacks, isn’t it? More than money, the fear that nothing is out of the reach of hackers haunts us. We have plenty of evidence: Adding to the pile, Symantec’s data showed that more than 15 percent of mobile devices used by financial service staffers have already been exposed to a malicious network, making a conducive setting for inserting malware and stealing information.

“Yet another way for your sensitive information to find its way onto the dark web,” wrote Brian Duckering, head of product marketing at Skycure, a mobile threat specialist Symantec bought in July.

Perhaps with good measure, Duckering roughs up financial services cyber protectors for a moment. “Security experts know all of this,” he wrote. “The financial institutions have to know all this. And yet, financial breaches not only continue, but have been found to be the costliest of any industry, with the average cost to the company coming in at $5.24 million (versus $4 million for companies in other industries).”

What exactly is our problem, he asks. It’s certainly not tolerance but it may be a lingering inertia, just a hair short of a malaise.

“Given the cost to the organization, the risk to both corporate and customer personal information, and the brand damage, the report posits that any cybersecurity breach of a financial institution is one too many,” Duckering said, pointing to a study last year conducted by OnePoll in which nearly nine in 10 people said they wouldn’t think too kindly about a company that hadn’t buttoned up their financial information as best it could.

“Imagine if a major bank had 87 percent (or even 20 percent) of its customer base leave on account of a security breach?” he wrote, suggesting perhaps they should. (Too bad that Equifax’s 145 million exposed accounts don’t belong to its actual customers but rather those whose records it is merely tasked with safeguarding.)

End User Challenges

Even with mobile device security patches regularly issued by operating system vendors Apple and Google, users and enterprises don’t often know the upgrades are available, Duckering said. “Some Android users may never get a notice for their device at all! Then it’s left up to the enterprise and its users to install those patches, which exacerbates this critical gap in mobile security.”

Here are some more concerning highlights (specific to financial services) from the study:

  • More than 13 percent of mobile devices are not running on the current major OS version.
  • Nearly all mobile devices may not be outfitted with the newest minor update.
  • Only five percent of iOS devices are not running the latest major OS version compared to 48 percent of Android devices.
  • In Q2, 26 percent of mobile devices were ready for an OS update but none had done so.

As for the institutions themselves:

  • Three in every one thousand devices has been infected with malware.
  • Of every hundred devices, 2.5 are not even protected with a pass code.

Nevertheless, cyber warfare is born and bred of attrition -- which side will wear the other down. “What we’re saying is: there is hope,” Duckering writes, pointing (yet again) to rules for every user to follow to “dramatically reduce the risk of mobile cyber attacks.”

  • Don’t click, install or connect to anything that you are not confident is safe.
  • Only install apps from reputable app stores.
  • Don’t perform sensitive work on your device while connected to a network you don’t trust.
  • Always update to the latest security patch as soon as it is available for your device.

It kind of makes you wonder if security pros are asking themselves: Is anybody out there listening?

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.