As Warren Buffet will tell you, you don't get rich by working hard for money. You have to let your money work hard for you, investing and keeping track of the funds well. Unfortunately, if your chosen investment or asset management firm lets employees use smartphones and other mobile devices (what modern firm wouldn't?), your money could be just a few clicks away from disappearing.
Many financial companies aren't managing mobile at all.
Mobile security company Wandera conducted a survey of 64 asset-management and investment companies, gathering data from roughly 25,000 corporate mobile devices. The company found that one of every six asset-management and investment firms don't even have an enterprise mobility management (EMM) solution in place. These plans focus on monitoring, controlling, and securing mobile devices and related technologies. Without them, workers might not have the support they need to complete tasks efficiently and competitively. But more importantly, the lack of EMM makes it significantly difficult for specialists within the firms to determine the extent of mobile threats and implement appropriate security measures to keep thieves away from your assets.
The names you know are used against you.
As you might expect, hackers are targeting Wall Street in part by taking advantage of brand recognition. They impersonate well-known companies to make you fall for phishing and similar schemes. Wandera found that the most frequently impersonated companies are Apple, PayPal, Facebook, Google, and Amazon. And a typical 100-device asset-management and investment firm gets hit with 53 phishing attacks every month, meaning half of all employees will have to deal with an attempt.
But don't just blame the hackers.
Employees themselves are creating trouble through compliance breaches, too. By accessing inappropriate content like gambling services on their mobile devices, workers run a high risk of infecting their devices with malware or connecting to phishing. A typical firm has about 99 attempts to access these kinds of sites every month, and Wandera notes that the line between personal and company use is especially blurred on mobile devices. Web browsers and apps like mail and social media lead data consumption, and much of this data usage comes from non-business tasks. The use of apps is disconcerting because many of those programs are designed with user-friendliness as the priority rather than security. The apps can leak personally identifiable information such as your email address, location, and credit card information and also leave workers susceptible to man-in-the-middle attacks. Sideloaded apps are particularly fun for hackers because there are no strict quality requirements regulating the availability of the apps. For every 100 devices, there are almost 1,000 connections to leaking sites and four MitM attacks each month.
Why are financial companies in such mobile security trouble?
Michael Covington, Wandera's VP of product strategy, points to general overconfidence as a big part of the problem.
"It's not uncommon for some organizations to start their mobility by thinking that they can go it alone. These organizations often buy into the myth that mobile devices are 'secure' out of the box. They're not. We have seen sufficient attacks against all of the major platforms (iOS, Android, Windows) and, as a result, no organization should feel safe buying a device and leaving the configuration and management of it entirely up to the user."
Another problem? A lack of well-defined acceptable use policies. Covington asserts that it doesn't take long for the lack of planning and management to result in a security incident that the company has to play out in front of the public.
Awareness means operational shifts.
Covington also says that, if customers were really aware of the security risks facing mobile users, it would lead to huge changes in the way IT teams operate. Mobility likely would be moved under security so experts could keep a better eye on the devices, and acceptable use policies would be enforced much more strictly. And as organizations accept that the bulk of company data travels over mobile networks, the industry would rethink how it layers defenses.
But how can we start securing ourselves and our assets on mobile right now? Covington says that the best place to start is looking at phishing, since that's what 90 percent of all cyberattacks begin with, and since users fall for phishing three times more on mobile than on desktops.
"Individuals need to be more vigilant with the links they click on and the information they part with while on a mobile device. Likewise, organizations that are enabling a mobile workforce need to combat phishing by looking beyond corporate email. The mobile device is a unified communications too, which provides access to multiple email accounts, instant messengers, SMS, MMS, social messengers like WhatsApp and LinkedIn, and more. Security conscious organizations must identify a solution that defends against phishing attacks across all of these threat vectors."
If you're concerned about the investment firm you use, speak up, ask questions, and get details. Smart investors look to understand all the risks they face, including ones from technology. Good companies won't hesitate to explain how they keep you safe in today's mobile world.