Mobile Device Risk Management

With mobile device usage in financial institutions as a communication method for banks, customer and personal information have become an additional source of risk to your organizations.  

One of the first steps is to establish a mobile device management policy that will define security and compliance policies for all employees and bank-owned mobile devices. The devices should follow the Bank’s internal policies for authentication, i.e., strong passwords and encryption. With the potential for confidential and sensitive information to be on your employee or bank-owned mobile devices, banks should look at these devices as an extension of their internal network.

Bank management should disable options and applications on mobile devices that are not used. This will reduce risk by limiting the device to only necessary applications. Services that can open up a device to unauthorized access should also be disabled when not in use. 

There are four key areas of vulnerabilities, according to a mobile risk matrix, a framework for thinking about mobile threats and risks to bank data. The key vulnerabilities include; the mobile device, apps running on the device, the networks the device connects to, and the Web access and content on the device.

The first area of risk is the device vulnerabilities. There are published security bulletins that are consistently produced for IOS and Android that detail mobile firmware and operating system vulnerabilities and patches that are available for those vulnerabilities.

The second risk area is app vulnerabilities. Although app security controls have improved, there are still apps that contain security flaws, including apps from established software development companies. This can jeopardize the Bank, user, and potentially customer information. If employees decide to download their own apps, bypassing the approval and review by IT management, banks cannot control apps that are developed by people with no understanding of the enterprise’s risk tolerance.

Network vulnerabilities are the third area of vulnerabilities. These are software or hardware flaws in the network interfaces with the mobile device or applications on the device. Mobile devices use multiple networks that are accessible in the area of the device, so the devices have the potential to use hostile networks.  

Content vulnerabilities allow bad actors to use malformed content, such as photos and videos, to exploit a targeted app and/or operating system, allowing unauthorized access to a device and its data.

Mobile devices that are lost or stolen can become your Bank’s single most security and compliance vulnerability. Included in the Bank’s mobile device policy, there should be language to protect the Bank if a device is lost, stolen, or if an employee with a device is no longer employed by the Bank. This language would allow your Bank to wipe or erase data on a device that is Bank or customer related. 

The type of data wipe could be selective depending on whether the device is bank-owned or employee-owned. If a device is employee-owned, the Bank should be able to remove specific applications and files from the device without affecting an employee’s personal data, as long as the personal data is not stored in an application used for bank activities, such as email.

As mobile devices increasingly access sensitive data, banks may lack both visibility and control into new risks over this data, leading to data compromise. 

It is only through a financial institution’s understanding of mobile risk that they will be able to protect their organization’s mobile environment. 

Bank Information Technology departments must consider enterprise mobility. This should include the measurable business value and productivity increases for banks that manage their mobile infrastructure in a way that is as secure and compliant as all other Information Technology assets.