| Executives May 6, 2021
May 6, 2021
By Hank Schless
As guardians of valuable monetary assets and highly sensitive data, financial institutions are the perfect target for cybercriminals. According to IBM, the financial services sector was the number one target of cyberattacks in 2020 among all industries. This means these organizations continue to be challenged and invest heavily in both people and technology to make sure they can withstand attacks of any type.
But sometimes the challenges become more complex as the environment changes. That’s exactly what’s happened over the course of the pandemic. A hybrid work model is a strong reality for the foreseeable future. In fact, some of the world’s largest banks have indicated that they will require at least some of their workers to return to the office this summer.
As some workers return full time, some phase in slowly, and others stay fully remote, employees will be handling sensitive financial information of clients without the guarantee of protection from the corporate office’s perimeter security. Also, as consumers, we became almost entirely reliant on mobile devices to get things done, including managing our finances.
To better understand how the financial industry reacted to this digital shift, I took a deep dive into the tens of millions of device, app and phishing threat data in the Lookout Security Graph. To get a full rundown of what I uncovered, take a look at the Financial Services Threat Report.
Despite a 50 percent increase in mobile device management (MDM) adoption, average quarterly exposure to phishing rose by 125 percent and malware and app risk exposure increased by over five times.
While it may seem encouraging that the financial industry increased the use of device management by 50 percent, this is a false sense of security.
Mobile device management (MDM) only enables organizations to push basic application and access management policies to employee devices. But as the phishing and app risk numbers indicate, the MDM is not protecting the devices from these risks and can not replace security. This is especially apparent as your workers continue to work away from the office and may be using personal devices to stay productive from anywhere. In this environment, you no longer control the device, the network or even the software.
It’s not just the location of our workplace that has changed, how we live our lives have also shifted. As most of us juggle between life responsibilities and staying productive at work, we have turned to our smartphones and tablets as the heart of managing our lives.
It’s within this context that I uncovered the 125-percent increase in the average quarterly mobile phishing exposure rate of financial organizations. I’m not really surprised. Now more than ever, we communicate with colleagues and handle data using mobile devices, which has resulted in a blurred line between when a device is used for work and when it’s used for personal reasons. We have fully turned to mobile apps to shop, pay bills and manage investments. Cyber criminals know this, and they are targeting us on the devices we use most.
The rapid shift to mobile means as workers and consumers, we put a lot of trust in these devices. For example, we’re used to SMS notifications about account verifications, upcoming appointments and package deliveries. But this means we’re also more susceptible to social engineering attacks that take advantage of that comfort level to trick us into giving up login credentials or installing malicious apps.
My other major discovery was related to mobile apps. I found that financial organizations saw a five-times increase in the average quarterly exposure rate to malicious and risky apps. There are two parts to this: the increase in prominence of vulnerabilities and the rise in Malware as a Service (MaaS).
Let me address risky apps first. Similar to my colleague Steve Banda’s conclusion regarding app risks in the U.S. public sector, I found that app vulnerabilities are becoming increasingly noted and exploited. The huge spike in encounters is partly due to the cybersecurity industry’s recognition that software development kits (SDKs) can increase risks. With so much at their disposal, it’s uncommon for a developer to build an app from scratch. This means vulnerabilities or risky data handling practices within a single SDK could be unknowingly integrated into dozens or even hundreds of apps.
The second issue related to apps is due to the rise of MaaS. Much like how we use countless Software as a Service (SaaS) or Infrastructure as a Service (IaaS) platforms, MaaS makes it easy to set up and customize malware. I recently wrote about a banking trojan that’s built on this model called FluBot where I take a deeper dive into the issue. But the gist is that MaaS is a generally cheaper option that makes it very easy for threat actors to launch a campaign that can be configured to target specific financial services organizations and their customers.
As hybrid work sets in as the longer-term reality and we continue to rely on mobile devices to manage our work and personal lives, we’re primed to get targeted by phishing attacks and malware. Attackers are taking advantage of the inherent trust we put in these devices. Combine that with how inexpensive it is for them to spin up a targeted malware campaign, and you have the perfect threat storm.
What we also need to keep in mind is that the threat landscape has also changed. With employees now working everywhere, using devices, networks or even software your IT department doesn’t control, you have lost control of how much of your data is accessed, handled and transferred.
MDM does not give you real time visibility into the threats you’re faced with. It also does not secure your data, especially as it now needs to travel to wherever it’s needed. With the countless apps you now own, from data centers to the cloud, your organization is exposed to an expanding breadth of attacks, such as ransomware and insider threats.
If you want to continue to learn more about the financial threat landscape, take a look at my full report.
To ensure your organization stays has the visibility and the ability to control access, you need an integrated solution that can secure your data from endpoint to cloud. Check out the Lookout Secure Access Service Edge (SASE) solution page to learn more.
Hank Schless Senior Manager, Security Solutions