Being willfully locked away for a week on Amelia Island, Fla., with hundreds of members of the long-standing and influential Financial Services – Information Sharing & Analysis Center (FS-ISAC), gave me a good opportunity to gather, probe, reassess, and reconstitute a variety of assumptions, perspectives, and philosophies surrounding mobile security.
Largely consistent with the many discussions I’ve been fortunate to have with CISOs, CSAs, risk and fraud leaders, and the like, what follows is a not-so-prioritized run-down of how the industry can better unleash the business potential of mobile, while concurrently best assessing risk and ensuring the integrity of the online relationship in this evermore-jumbled mobile-Internet world.
1. Leverage C-Suite’s baptism by breach-fire: As every board and C-suite executive can attest, they have spent more time on security -- of any kind -- these past few months than they likely have in the past few years (or more) combined. Greater chief executive involvement in (mobile) risk and security investment will doubtless support better, leaning-forward, growth-enabling decisions. Too often, leaders in the risk and security profession have effectively assumed the role of naysayer and growth-slayer. Now, in particular, is a time during which we are logically and necessarily able to take on a more proactive role in helping drive the business forward. Clear articulation as to the mobile security investments that need to be made and why -- beyond simply the basics that were likely in the ’13 budget -- will certainly resonate more resoundingly at this point in time. Senior management has been pinched, quite painfully, by all the recent breaches and compromises. We hold the analgesic. So boldly prescribe away.
2. Build-in mobile security and risk mitigation: Easier said than done, yes, but this is another mandate for those of us on the Street. On the coattails of Point 1, security can and must now become much more naturally embedded throughout the software commercialization and development lifecycle. If we can collectively shift the natural tide of “just toss our next native mobile app version over for security testing a couple weeks before release,” we’ll not only be able to make the best risk-informed business decisions on what capabilities and services that are enabled, but we’ll also make great strides toward improving the overall user experience in the process. Kind of a nice proposition, eh?
3. Take advantage of mobile device risk/fraud signals: While many malicious actors and fraudsters emulate genuine users operating on mobile devices -- in order to face fewer security controls than their desktop/PC kin -- there is no reason that mobile security can’t be better. Aside from the über-valuable mobile device accelerometer, biometric features, machine learning-based assessment of pinch-and-zoom and swipe behavior, and much more, we as an industry can do far better in protecting our mobile users, applications, transactions, and businesses.
4. Application layer key to mobile security: We all know username/password credentials are worthless. So what’s the mobile answer? Wrappers? Containers? Endpoint software? Whether it’s a B2C or B2E(nterprise), the reality is that we must go a whole layer deeper – to the application layer. Protecting apps from being manipulated or modified, in-and-amongst the broader landscape of mobile malware that’s rapidly on the rise, what about classic human attacks using stolen credentials? Data wrappers or containers aren’t the answer. As with best detecting and protecting against malicious and fraudulent activity, web applications need to monitor and act upon user behavior in real-time. This should be applied at each key user action within a session, across sessions, even extended to behavior correlated across other channels. Pinches (and zooms), swipes, typing speed and cadence, and accelerometer-informed “mobi-rhythms” in fact speak louder, and more accurately, than passwords, wrappers, and additional authentication measures. By assessing all available user- and device-based behavioral signals, we are then in the power position of being able to best identify and mitigate account takeover, transaction/trade/transfer fraud, and much, much more.
5. Business partnerships: After we’ve accomplished all of the above, risk leaders should aggressively partner with the business to offer more and more services and "high-risk" capabilities. Grow via “smart and secure risk” and rigorously informed, fact-based investment decisions. That’s what we know. That’s how we roll. Just like an accelerometer.
How does the old saying go? A pinch in time saves nine? Scratch that, it’s a stitch, not a pinch. Regardless, let’s all make aggressive strides toward “saving nine” of whatever makes the board and CEO happy through better security.Jens Hinrichsen is Senior Vice President of Business Development for NuData Security, having most recently served as VP of Marketing & Business Development for Versafe (acquired by F5 Networks). His background in the online threats and fraud space includes having headed ... View Full Bio