In an era where cyber threats are evolving at an alarming pace, the role of a Chief Information Security Officer (CISO) has never been more critical. Today, CISOs are the guardians of an organization’s digital assets, and in this role, they face a very daunting task — they’re being called to protect sensitive data, maintain customer trust and ensure business continuity without introducing friction. In the case of banks and financial institutions, this trove of data becomes all the more critical to protect.
The mobile threat is twofold: CISOs must secure their enterprise's mobile apps and mobile devices accessing the enterprise. With the rise of mobile banking applications, money-motivated cyber criminals are realizing the potential payoff of targeting traditional and emerging fintech and trading apps. Recent research from Zimperium discovered that traditional banking apps accounted for 61% of the apps targeted by 29 specific banking trojans in 2023, while the other 39% accounted for emerging fintech and trading apps. With enterprises allowing more access than ever on personal devices, the organization's attack surface continues to expand making mobile devices a hotbed for destructive cyberattacks. In fact, Zimperium’s Global Mobile Threat Report 2023 showed a 187% year-over-year increase in the number of compromised mobile devices.
With an ever-evolving mobile threat landscape, CISOs need to establish a mobile-first security strategy to navigate these turbulent waters successfully. This article highlights the top four practices CISOs should prioritize in their mobile strategies, zeroing in on how security chiefs at banking institutions and financial services companies can stay ahead of mobile threats.
Identify where the organization is most vulnerable
It’s always essential to clearly understand the risks, threats and attacks happening across the organization’s mobile device and application footprint. Too often, teams are unaware of a breach until they are notified, either by a customer, a law enforcement agency or a criminal seeking ransom.
CISOs face large and rapidly growing vulnerability gaps as the mobile attack surface expands. Employees’ mobile devices must be secured, or organizations’ systems and assets will increasingly be exposed to cyber threats. The same can also be said for the mobile applications on employee and customer devices. In 2023, Zimperium’s zLabs Research Team discovered 10 new active banking malware families targeting banking applications. The 19 adversaries who persisted from 2022 also revealed new capabilities that show a relentless pursuit of financial exploitation.
CISOs must enable on-device threat visibility across various threat vectors — including device, network, application and phishing — allowing for active identification and real-time reporting. This gives enterprises access to employee devices and the ability to employ threat modeling to build secure and compliant mobile applications.
By operating in a known state, CISOs and their security teams can more easily catch configuration issues, vulnerabilities, irregularities in security protocols and user behavior within their organization.
Protection where it matters
In the context of mobile security, it's essential to recognize that threats frequently originate on the device. From both the mobile device and application perspectives, threats typically arise due to vulnerabilities in the system or software. Regarding apps, risks are inadvertently introduced during development but are exploited once the app is published.
This situation necessitates CISOs to establish a comprehensive on-device security strategy. Upon detection of a threat, on-device protection measures enable immediate notification and response actions to mitigate the threat. These capabilities allow CISOs and their teams to start developing defenses aligned with the nature of mobile threats.
Keeping up with regulation
Banks, financial institutions and emerging fintech companies are dealing with a barrage of upcoming regulations concerning data privacy and data protection, not only at the state and federal level in the United States, but also in a dizzying number of jurisdictions around the world. Reserve banks globally are issuing prescriptive guidance to help secure mobile banking applications against malware and mobile threats eroding customer trust in financial systems.
CISOs must be aware of all compliance regulations affecting the organization, including current and pending mandates, to ensure the organization’s security program meets these requirements while protecting sensitive data. Failing to do so can result in penalties and fines for the organization and damage to the CISO’s personal reputation.
CISOs should invest in automated app security testing solutions that help them identify areas of non-compliance with various security and privacy regulations. By integrating these solutions, digital, security and compliance teams can collaborate and ensure compliance before releasing mobile applications.
Choose an autonomous approach
Lastly, choosing security solutions that can adapt and keep up with the evolving mobile threat landscape is critical for sustained effectiveness.
For CISOs prioritizing mobile security solutions, it's paramount to have mobile security solutions that are reactive and proactive, with the agility to adapt to new threats as they evolve. The dynamic nature of mobile device and app security threats requires a strategy that anticipates future challenges, ensuring long-term protection. Emphasizing the need for solutions integrating AI and autonomous updates is critical in staying ahead of sophisticated threats, like banking trojans and zero-day exploits. This approach enables proactive defense mechanisms, continuous monitoring and immediate response to threats without manual intervention to keep security up-to-date.
As the digital landscape, specifically around mobile, continues to be complex and volatile, CISOs today face the formidable challenge of safeguarding their organizations against a barrage of cyber threats. By employing the four practices outlined above, CISOs can start to leverage the benefits of mobile devices and apps while feeling confident that their assets are protected.