Following research conducted by IDC Financial Insights, Akamai Technologies Ltd has found a widening gap between IT and business in many UK financial services companies that poses grave operational and security risks for mobile and online services. This widening gap is an unintentional consequence of business decision-makers within financial institutions lobbying for new and enhanced digital services and being stonewalled by IT departments fearful of the growing security threat from mobile malware.
Commissioned by Akamai, the IDC Financial Insights White Paper published today, New Threats Demand Innovative Responses, describes a UK financial services sector still reeling from the aftershocks of the economic crisis. This sector recognises the need to evolve its product and service offerings in order to meet the needs of a customer base which is both increasingly diverse and demanding. Fundamental to this process is enhancing service channels, with a particular emphasis on making improvements to the user experience associated with online and mobile banking. The research advises that security must be integral to this process, as attack sophistication and volume increases.
Rich Bolstridge, Chief Strategist for Financial Services, Akamai, commented: “The proliferation of smart devices and investment in mobile networks have made mobile banking a realistic prospect for financial institutions looking for new ways to connect to customers and deliver services. Having invested in the front-end of online and mobile banking, however, institutions need to review how they protect themselves and their customers from the ever-present threat of fraudulent activity posed by increasingly sophisticated cyber attacks, and perhaps most significantly, from a proliferation of mobile malware.”
According to IDC, increasingly complex threats that coordinate desktop and mobile malware attacks to intercept user-sensitive authentication data, are beginning to emerge. This is in line with the findings of Akamai’s latest State of the Internet report published in October 2011, which pinpointed the growing malware threat in the UK. It showed the largest quarterly increase (nearly 80%) in observed attack traffic from known mobile network providers.
Alex Kwiatkowski, Research Manager, EMEA Banking at IDC Financial Insights emphasised: “Mobile is a huge opportunity that is beginning to be realised this decade after a series of false dawns in the 2000s, with nearly all the UK’s retail banks launching mobile services in the last three years. But the 'enemy' is smart too, relishing this opportunity to attack from new ground.
“Banks are clearly aware of the threat posed by malware, but the extent to which this ‘awareness’ encompasses mobile is something of an unknown quantity. We have previously identified that banks are launching (and enhancing) new digital banking channels without a clearly defined IT strategy or budget from the onset (as such developments are frequently business-led and/or funded). An unfortunate consequence of taking this approach is the widening of the gap which has perennially existed between 'the business' on one side of the divide and IT on the other.”
This gap potentially means that the security implications of mobile may not be adequately addressed at the point of inception, and Akamai calls for institutions to review their business and IT plans to ensure they are more closely aligned.
Bolstridge added: “IT managers want to invest in security, but they are constrained by a lack of budget. Management teams feel they are faced with a brick wall in the form of IT colleagues who are seemingly reluctant to support the push for new digital channels. This gap only serves to magnify the already daunting risk posed by increasing security threats and must be overcome. In an industry where trust is at an all-time low, the failure of any one bank to provide total security for its mobile banking channel would be catastrophic.”
Akamai and IDC believe the following actions should be taken by financial institutions to help avoid unintentionally magnifying the risk:
● The IT security team needs to ensure that security strategies are reflective of business goals and strategic direction where the growth of the digital banking channel is concerned. This requires IT to be involved in the design and development of new products and services from the outset, particularly where newer interaction mechanisms – namely mobile and social – are involved.
● As a priority, banking IT security teams must become more knowledgeable regarding the threats posed by mobile malware. While the likelihood of attack is currently low, IDC Financial Insights believes this situation will change in 2012, as cyber criminals seek ways to exploit vulnerabilities in mobile OSs and develop more sophisticated methods by which to perform fraudulent activities.
● Banks should continue – or in some cases commence – to educate customers as to how they can identify fraudulent attempts to gain access to personal financial data (by means of phishing or smishing attacks). Historic fraud education methods have, in IDC’s opinion, often been found wanting. Interactive training, where banks simulate phishing and smishing attacks to ensure customers know what signs to look out for and how to react offers a better alternative.
● If existing security technology suppliers are lagging behind in the provision of dedicated solutions to improve the robustness of the mobile channel, institutions should consider using specialist niche vendors who solely concentrate on innovations in mobile security.
● The IT department should seek ways to better engage with business-side users in order to obtain executive sponsorship (and budgetary contributions) for initiatives to improve digital banking security. Conversely, business-side users should not get ahead of their skis and consider launching new services or applications before they have been adequately assessed and signed-off by IT security.
● Innovations in digital banking can still occur, provided they are underpinned by suitably innovative security solutions.
● With an increasing number of attacks expected through both PC and mobile devices, banks should plan their survival strategies accordingly. Ultimately it is far better to be over-prepared rather than woefully ill-equipped to deal with the consequences.
A full copy of the IDC report can be downloaded at: http://www.akamai.com/dl/whitepapers/IDC_Financial_Insights_...