12:05 PM
Evan McDonnell
Evan McDonnell
Connect Directly

5 Enterprise Mobile Security Tips for Financial Firms

With all financial firms rolling out mobile apps for customers and internal employees, here are five security requirements every firms must follow.

Financial firms are increasingly using the mobile environment for applications to serve their clientele better. Modern work platforms enable financial applications to be developed quickly for optimal collaboration and peak customer experience.

For example, CME Group, the world's leading derivatives marketplace, needed to automate workflows, improve end-to-end visibility, and enable continuous improvement. It applied a modern work platform to create applications, consolidating processes while leveraging mobile for improved access and shorter response times.

At a more local level, the Bank of Tennessee has created mobile applications to enable its loan officers to process mortgages wherever it's most convenient for its customers -- enabling this community bank to level the playing field with the big boys.

As useful as mobile-enabled applications can be for the financial services industry, adding mobility can pose serious concerns for enterprise IT, particularly in terms of security.

Financial industry leaders must ensure their mobile-enhanced applications comply with a variety of security requirements. The five most important requirements are:

  1. Secure network communication
  2. Secure local data storage
  3. Protection against malware
  4. Secure authentication
  5. Remote disablement

Let's look in closer detail at each requirement and what you need to keep in mind.

Secure network communication
Make certain that all communication between client devices and servers is transmitted over HTTPS with SSL encryption. HTTPS/SSL is the industry standard for secure web communication between devices. Limiting connection to servers with trusted SSL certification ensures unauthorized users cannot gain access. Address any vulnerabilities to the Heartbleed bug; fortunately, the virus is limited to OpenSSL version 1.01 and the beta version 1.02.

Also, consider configuring mobile applications to work with a secure virtual private network (VPN) connection from the mobile device. This will allow clients to establish a secure connection to systems behind the enterprise firewall, and it ensures that your servers will not be directly accessible from the public Internet.

Secure authentication
Authentication from mobile devices must be handled on the server side to ensure that a central administrator maintains control of this aspect of security. Authentication architecture must be easily integrated with your corporate LDAP or SSO authentication servers.

Secure local data storage
It goes almost without saying that server location and user ID information on each mobile device must be encrypted. Documents downloaded to the mobile device must also be stored locally in an encrypted format.

Don't allow enterprise data to be stored on mobile devices; instead, make it deliverable on demand to the user via a secure network communication. By storing only the minimum amount of data required for local processing, using local encryption, and using secure network communication for all other data, you maximize enterprise data security.

Protection against malware
Native mobile applications -- as opposed to mobile-optimized web interfaces -- offer a superior user experience and protect against malware on mobile platforms.

Malicious applications steal information and infect devices, using common web attack techniques such as JavaScript injection (XSS) or SQL injection. These malicious apps concentrate on browser security holes as a primary means of attack.

Because mobile browsers are less mature than desktop browsers, staying with native mobile applications, rather than web interfaces, provides an immediate security layer for enterprise data.

Remote disablement
By some analysts' estimates, mobile device loss and theft can be as much as 50% higher than laptop computers. If a mobile device is lost or stolen, it is common practice to disable that device remotely to prevent information theft or unauthorized software access. Mobile device platforms provide varying levels of support for remote disablement. Evaluate each individually for its merits and issues.

Native mobile client application makes it easy to disable features remotely, including removal of the application or locking its access.

With the rapid adoption of mobile devices in business, financial services IT experts must make data security the cornerstone of their mobile device strategy. Network encryption, secure authentication, minimal data storage, and passcode locking ensure your enterprise data can be securely transmitted to your mobile users. Today's modern work platform offers solutions to mobile-enable your enterprise applications and processes while maintaining a high level of security and access control.

Evan McDonnell is Appian's Vice President of Industry Practices and is responsible for guiding the company to meet the needs of specific industries. Evan has an extensive background in enterprise and SaaS software. He was most recently Vice President of Marketing at CodeRyte, ... View Full Bio
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Author
6/10/2014 | 1:54:11 PM
Don't Take for Granted
Evan, this is a useful checklist. It's interesting that just a few years ago, concerns about mobile security held back many banks and other FIs from moving aggressively into mobile offerings; some firms undoubtedly lost "first mover" advantage. Now it seems that banks for the most part have overcome the earlier concerns -- if nothing else,competitive concerns require that. Customers and employees want to interact on mobile platforms. However, that doesn't mean the security risks were overstated or have diminished.
User Rank: Author
6/10/2014 | 2:54:48 PM
Re: Don't Take for Granted
Good point Kathy. Reminds of the way some firms have moved applications to the cloud even though they still have security concerns about doing so. For financial services institutionsa hacker getting into their network is such a huge threat. And all points connected to the network -- vendor partners and employee mobile devices -- have to be secured.
Becca L
Becca L,
User Rank: Author
6/30/2014 | 1:38:26 PM
Re: Don't Take for Granted
Even the smaller players have to bite the bullet and take the leap into mobile and cloud or risk falling way, way, way behind on the tech innovation curve. Security, while important, can not be a roadblock. Their customers expect similar levels of service and capabilities, and they have a real opportunity to secure their market with cutting edge offerings.
User Rank: Author
6/30/2014 | 3:23:52 PM
Re: Don't Take for Granted
True, mobile offerings have evolved from nice-to-have to essential for today's businesses. The potential for security issues is troubling, but companies are better off taking the right security precautions instead of ignoring the mobile trend. This is a helpful list for those trying to build up their mobile security strategy.  
User Rank: Author
6/30/2014 | 10:00:50 PM
Re: Don't Take for Granted
I agree, these mobile security tips are extremely helpful for companies that are seeking to innovate and not fall behind. Bank of Tennessee is a good example of a small player that was able to leap forward by adopting mobile application so that its officers could process mortgages. Customers are demanding these applications and with bring your own device (BYOD) to work becoming mainstream, companies need to implement these security practices  rather than avoid mobile delivery which would be a competitive disadvantage.
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.