Mobile security that businesses can take to the bank – and beyond

Mobile phones are steadily displacing ATMs and branches as the preferred way that consumers interact with financial services. Two years ago, more than half of U.S. smartphone owners already were using mobile banking, and another 12 per cent planned to, according to a Federal Reserve survey.

Fast forward to today and we see Sweden moving towards a cash-free society as electronic payments have dethroned cash and day-to-day banking has moved online.

This trend is driving innovation in tools and best practices for ensuring that customers’ financial information stays protected, both at rest on the device and in motion over cellular or Wi-Fi. This innovation goes beyond benefiting just banks and financial services. Organisations in other verticals - from healthcare to retail to government - can apply these tools and practices to secure the public’s information and privacy.

For all verticals, it’s critical to recognise the threat to data security isn’t limited to customers’ smartphones, tablets and now wearables such as smart watches. Hackers also are targeting mobile devices used by employees. Whether it’s a device provided to the employee by the company or the employee’s personal mobile device used for work under a bring your own device (BYOD) policy, smart devices used for work can hold a treasure trove of sensitive corporate assets and customer data.

As a result, banks and other organisations need to develop security strategies that can be applied across all devices, regardless of who owns them: customers, employees or the company. The next step is to identify vertical- and jurisdiction-specific laws that create additional considerations.

For example, Securities and Exchange Commission regulations require financial services firms to archive communications regarding customer interactions and trades. Even if those laws didn’t exist, those firms would still want those capabilities as protection against, for example, clients who agree to buy a thousand shares and then deny having given that authorisation when the stock tanks the next day.

The enterprise also needs to recognise that security threats don’t just come from external hackers, malware or corporate espionage. Employees and contractors frequently expose the organisation to very real risks including data breaches, compromised patient or client confidentiality and misplaced or lost mobile devices. Often employees don’t understand the security risks of not protecting the device or being lax with security requirements. They aren’t bad employees. Quite the opposite; on-the-go employees tend to be the very people trying to maximise productivity and please their bosses.

Ensuring Security Measures

One security approach is to apply multi-factor authentication. Selective multi-factor authentication is an important safeguard for mobile apps and the resources behind them. Through a multi-factor authentication process, the organisation can protect access to the communications session with the server. This authenticated session acts as a trust anchor to allow verified access for communications between the server and the client.

Another way to take some of the security burden off the employee is through an interactive web-based portal which enables the IT Administrator to set and monitor security requirements. The admin portal acts as a secure, FIPS 140-2 validated online dispatcher allowing IT to manage communications from a centralised location. The console permits approved users to manage, track and audit all messages via any incoming channel including phone, email, app or console. The portal also enables remote wipe of the corporate data residing on the device if it is lost, stolen or compromised, or remote wipe after a set number of failed login attempts on the device.

With regard to the healthcare vertical, hospitals and physicians groups want the ability to archive communications, including internal ones, such as a doctor issuing instructions to a nurse. Healthcare providers also want encryption and other tools to support compliance with the Health Insurance Portability and Accountability Act (HIPAA). Real-time secure mobile communications can also be leveraged to improve collaboration between physician care teams which helps drive better patient outcomes.

What Makes an Ideal EMM Solution?

Regardless of the vertical and who owns the device, most organisations now have an enterprise mobility management (EMM) platform, a category that includes mobile device management (MDM) and mobile application management (MAM) products.

These tools are useful for remotely wiping lost or stolen devices and pushing out security patches instead of relying on employees or customers to download them. They’re also must-haves for supporting compliance with laws such as Federal Information Processing Standards (FIPS), the Freedom of Information Act, HIPAA and Common Criteria.

For organisations that need to archive internal or customer-facing communications, an EMM solution also should provide an application programming interface (API) to enable connections to third-party storage companies. The ideal EMM solution goes a step further: Instead of providing a single, generic API, the EMM vendor works with multiple storage providers to create a unique API for each one. That selection is key because storage providers don’t all handle traffic the same way, so a one-size-fits-all API often doesn’t. With provider-specific APIs, organisations can be confident that important data won’t get lost and that their IT staffs won’t be constantly tinkering to make things work.

The EMM container should include a robust selection of integrated third-party apps. For example, if the EMM platform only secures email or short-term archiving, then organisations should select an EMM that has solid partnerships and integrations with other app vendors which can bring secure voice calls, text messaging and long-term archiving to the overall solution.

Flexibility is equally important for accommodating a wide variety of mobile operating systems; not just major incumbents such as Android and iOS, but also emerging ones for wearables, such as Tizen, and niche OSs such as BlackBerry. When organisations have an EMM solution that can support a wide variety of OSs, they have the flexibility to accommodate sudden changes in customer and employee preferences. For example, look at how quickly BYOD and the iPhone ended BlackBerry’s dominance in the enterprise market. That won’t be the last dethroning, and a highly flexible EMM solution ensures that organisations can handle whatever the marketplace dictates.

The ideal EMM solution also uses embedded certificates to manage device and end-user identities instead of relying entirely on TLS and HTTPS. But certificate authorities can be difficult to deal with, so the EMM solution should enable organisations to manage certificates and keys within the confines of an app instead of having to work with an authority.

A Dual Persona Approach

Organisations that have or are considering BYOD should take a “dual persona” architecture into account. On the device, there’s one persona for all work-related apps and communications, and another for all personal apps and communications. This separation enables organisations to apply policies only to the work persona on an employee-owned device, such as archiving only client-customer text messages.

This architecture also enables organisations to secure, for example, work-related text messages and emails so they can be viewed only by authorised parties.

Personas also are an ideal way to ensure security and compliance while respecting employee privacy, which is key for encouraging employees to participate in BYOD programs. Personas eliminate employee concerns about having their personal calls, messages, browsing and emails swept into the same archive as their work communications. It also restricts remote wipe to the business communications on the device—leaving the employee’s personal photos, messages, voice calls, apps and more untouched. Those concerns can prompt noncompliance that drags work-related communications, files and other data out of archiving’s and security’s reach.

To maximise personas’ security, the EMM solution should use encryption to create a protected container in the mobile device’s unsecure memory. It also should provide a secure tunnel in and out of that container so work data is protected in motion, too, rather than only when at rest.

Personas also can be paired with multi-factor authentication to secure single sign-ons. A common example is a BYOD user with the need to access multiple enterprise apps on their device. Instead of requiring the employee to log into every app they necessary for work, the employee would sign in once with a passcode and fingerprint scan. Then the device would automatically load the right persona profile.

Finally, don’t overlook the importance of phone calls when choosing an EMM solution. With BYOD, employees own not only their device, but also the phone number associated with it. So when those employees leave, calls and SMS messages to their numbers go with them, along with valuable customer contacts.

The ideal mobile solution can assign a second, work-only number to employee-owned smartphones to clearly separate business and personal mobile communications. When those employees leave, those numbers and customer contacts stay with the organisation that issued them. Personas play a role here, too, by enabling the organisation to record and archive only work-related calls and SMS messages.

Mobile technology ultimately is a set of challenges and opportunities for banks and other organisations. Choosing the right EMM solution along with the right mobile app technology is critical for mitigating security risks while providing a customer- and employee-friendly experience that encourages BYOD participation and use of the organisation’s mobile apps.

Brian Panicko, Senior Vice President of Global Sales Strategy, CellTrust

Image source: Shutterstock/Robert Kneschke