By Immanuel Patzschke, CTO,EQUIIS Technologies
The complex and global nature of organisations operating in the financial services sector means that they are often the target for criminals with a range of motivations.
In fact, according to a recent study, cyber attacks cost financial services organisations more to contain than in any other industry.
For financial services companies, the enormous data security challenge they face daily is made ever-more pressing by the availability of inexpensive mobile interception tools, such as International Mobile Subscriber Identity (IMSI) catchers – cellphone spying tools which facilitate the easy capture of mobile communications.
At the same time, while new technologies – such as machine learning and artificial intelligence – are increasingly used to help enhance and improve the detection of suspicious behaviours or transactions within financial services, organisations will also need to continue to seek ways to improve their mobile security, not only because of people’s increasing personal reliance on mobile, but also due to enterprise’s dependence on mobile. Within this space, securing voice calls and messaging will be crucial.
What’s more, since mobile communications intercept threats are rising globally, it will become increasingly important for firms to secure their voice calls and messaging – especially free‘Over-the-Top’ (OTT) messaging apps, that can inadvertently and accidentally create opportunities for information leakage and cyber-security attacks to occur.
With that in mind -and in light of the current regulatory landscape – what are the threats, and what can financial service firms do to protect their voice calls and messages?
Security breaches in the banking and financial services industry are rife. You only have to consider recent news reports about Monzo’s data breach; or the US Securities and Exchange Commission admittance, last year, to being hacked in 2016, with illegal trading potentially at the root of the breach. Further, as many financial services organisations invest in innovative technologies and business approaches, such as agile software development/DevOps, to enable them to improve their operations and drive digital transformation, new vulnerabilities could inadvertently be introduced.
This means that potential threats to firms can come not just from hacktivists or criminals seeking financial gain, but also directly from within the business. Therefore, IT teams and CISOs in financial services organisations are often battling external threats, as well as those presented from poor employee communication practices and habits.
For instance, freely available mobile messaging apps – such as WhatsApp and Viber – have ensured that encrypted mobile communications are widely used for both personal and business calls. However, what many people don’t realise is that these free messaging apps compromise security and cannot adequately protect large organisations. This is because they are not enterprise grade and not fully under the IT teams control
Information leaks affect not just organisational reputation – which can have serious reputational and financial consequences -but they can also have a damaging effect on compliance. The repercussions of not meeting industry regulatory standards are now so great that financial services companies in particular are under severe pressure to find a form of communications that is both compliant and secure.
Whilst ensuring that communications are encrypted is vital for financial organisations, to comply with regulatory and accountability requirements, control over how communications are saved and what is wiped from the system is also critical in order to comply with regulations such as MiFID II, which addresses the use of communications recording – both in terms of the scope of communications that must be recorded, and the requirement for firms to monitor recordings. MiFiD II also mandates the ability to manage securely archived communications, and the emergence of GDPR further demonstrates the need for secure and compliant communications tools.
The Security Challenge with “Free”
Today, many international callers use open telecommunications networks or ‘free’ consumer-based smartphone apps, such as WhatsApp and Viber. Although these consumer messaging apps do offer end-to-end encryption, these solutions do not provide the required organisational control over communications that these institutions require. This can mean that even though they have a method of encrypted communications, these financial institutions do not have the ability to operate a closed system, manage how their metadata is being stored, and it means they are also unaware of what third-parties may be accessing their communications.
The challenge is made even greater by the increasing use of bring-your-own devices in the workplace. No matter how close the attention paid by companies to regulatory compliance, and to implementing secure technology, individual employee behaviour, and indeed poorly constructed or implemented company procedures, may inadvertently increase risk.
Oversight of who is communicating with whom on the encrypted network is essential. Companies also need to be able to selectively and securely store communications metadata for accountability and for regulatory compliance reasons.
Contrary to popular opinion, free messaging apps cannot do that, and this can leave financial services organisations exposed. Without control, “dark” networks can be created that the business is completely unaware of, allowing confidential information to be shared beyond the predefined users of a secure communications approach.
Secure and Compliant Technology Direction
To deal with these challenges, financial services organisations must ensure that they have both the level of security needed to communicate privately, as well as control over how their communications are being managed, and how their metadata is being stored.
Clear policies need to specify precisely what employees can do with data. Businesses need to provide training and guidance so that each and every employee understands the reason for the policies and the consequences of non-compliance.
Only an enterprise-grade encrypted mobile communications approach provides the control and accountability that is essential to businesses to achieve security and compliance. This should be based on open-source encryption, which is tried, tested and validated. This is because there is not enough user experience to validate proprietary security technology, and those developing them create systems that become a challenge to hackers to conquer, which they accept with glee.
Such open-source encryption enterprise options enable the management of users from a central point, as well as detailed visibility into how the system is being used. They ensure that only authorised users are able to communicate on the encrypted network and they can be provisioned and de- provisioned instantly. This means that the risk of unauthorised users on the network is much reduced, unlike with the free messaging apps which offer no central control and no visibility. Enterprise communications systems require contacts to be closed, which means access is restricted only to authorised users. This has the advantage that no communication can be made with the device’s contacts, and a user can’t use the communications app to link to their own personal contacts.
In addition, an enterprise-grade approach gives full control over which metadata is saved and which metadata is wiped, which is critical for accountability and compliance in the financial services industry. By partnering with technology providers where encryption and control is integral to their communication offerings, financial services firms can improve their communications systems and also reduce risk.
In conclusion,t he security of client and internal data should be core to every strategic technology decision made by financial services companies. The IT strategy must be built on robust security foundations and a flexible architecture, that can evolve to support the most up-to-date open source encryption algorithms, and not based on proprietary encryption technologies. By taking this approach, financial service organisations will go a long way to minimising risk and to addressing their data security and compliance challenges.