Channels

11:50 AM
Andrew Hoog
Andrew Hoog
Commentary
50%
50%

Mitigating Mobile Risk: Itís Time for Action

Traditional mobile security measures do little to address the risk presented by "leaky" mobile apps.

The insurance industry is many things, chief among them a dynamic center of technology. Actuarial experts, security analysts and consultants, and developers work within a vast network of personal data, the protection of which requires the attention of our most gifted computer scientists.

At the forefront of the discussion on safeguarding confidential information is heightened awareness about the threat presented by smartphones and tablets. This is a legitimate concern in an increasingly bring-your-own-device (BYOD) workplace.

Unfortunately, many security professionals continue to apply, or attempt to apply, traditional computing solutions to this new mobile reality -- and it's just not working.

One big reason is that traditional network computing security features like firewalls and anti-virus protection do nothing to address the risks posed by unsecured mobile applications, or so-called "leaky apps." This seemingly harmless collection of icons, the individual squares we tap and access every day, can act as a gateway for attackers seeking to find and exploit weaknesses.

Once inside an insurance agent's smartphone or an executive's tablet, a cyberthief can steal volumes of sensitive material, including banking and financial details, medical records, insurance policy numbers, and other highly personal content.

[5 Insurance Lessons From Amazon.com]

The average smartphone user would have a very difficult time identifying a leaky app on his device. In most cases, the apps perform as advertised. There is no watchdog group to evaluate app security and inform users of potential vulnerabilities. Most users have no idea how their apps store sensitive information, whether they encrypt data in transit, or how they perform certificate authentication.

But the attackers do, and a clever criminal can easily use a leaky app to open a treasure trove of valuable content. These apps are far from being the exception. In fact, leaky apps are closer to the norm. 

Our own internal audit at viaForensics found that 60 percent of the 100 most popular apps, including those with dual appeal to individual consumers and executives, have a high-risk rating in one or more security categories. All of these apps were offered through Google Play and iTunes. None of them were apps the typical user would suspect of being unsafe.

This challenge demands a comprehensive and an immediate response. Because of their individual and collective longevity, in some cases dating back to the 19th century, insurance companies have the credibility to address this issue in an unprecedented fashion. They also risk destroying that credibility by acts of omission, by failing to arrest this problem before suffering the kinds of massive data breaches we have already seen in the retail sector.

Creating a thorough mobile security strategy -- one that addresses not just malware and targeted attacks but the greater danger posed by leaky apps -- represents an opportunity for insurers to enhance their legitimacy and sustain their deserved prestige.

Picture an actual certificate of insurance: a heavy stock document with an embossed seal, gold leaf, the blue ink of assorted signatories, the insurer's official logo and the five-point Times New Roman print with its "heretofore" caveats and "wherein" sentences. People have a literal investment in that paper, which they cannot afford to have attackers tear apart through data theft.

Addressing the scope of threat: a plan for action
Consider an independent study by Gartner, which predicts that the focus of endpoint breaches will shift to smartphones and tablets. Recognize, too, that the average cost of resolving a successful attack against any business is $8.3 million. Experts believe that this number will rise 10 percent by 2016.

Insurers should, therefore, take advantage of any and all proactive steps to address this problem. It begins with educating their workforce in a way that turns them from potential liabilities into a first line of defense.

If employees are using their mobile devices for work, make sure they are running the latest iOS or Android platforms. Similarly, they must be vigilant about keeping their apps updated, as many vendors use new releases to patch existing security holes.

The devices should be protected by strong passcodes. Users should be advised against jail-breaking their smartphones, as this can make the devices more vulnerable to attack. Agents and executives should also only use known, secure WiFi networks, and be wary of any apps that seem to drain their devices’ batteries in an especially fast manner.

If an insurer chooses to create its own app, there are a number of key security practices that the organization should implement. These include:

  • Avoid storing sensitive information on the device; if you must do so, make sure it is not stored in clear text or stationed within an easy-to-find database.
  • Use secure SSL/TSL protocols to secure data in transit.
  • Conduct ample testing and retesting of an app before it goes live.

By launching strong BYOD security measures and building secure apps, the insurance industry can take control of a previously reactive situation. It can offer the public the best insurance policy against data breaches. That is an insurance policy worth striving to achieve.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
11/26/2014 | 6:45:53 PM
Re: Mobile risk
Thanks Andrew. It's unfortunate that the individual end user is the easiest vector of attack for bad actors, but users can change their bad security habits easily.
Christopher C.H134
50%
50%
Christopher C.H134,
User Rank: Apprentice
11/26/2014 | 12:52:28 PM
Cloud Access Security Brokers to the rescue
Thanks for sharing this. You brought up some really great points. There are several security gaps within some of today's top cloud applications like Office 365, Salesforce, Google Apps etc. Things like identity sprawl, lack of visibility into suspicious activity, inadequate data leakage prevention and no true aproach to protecting against lost mobile devices.

The old approach of using firewalls and anti virus protection is no longer affective as mobile devices are bringing data outside the firewall.

Companies should start looking at security solutions like Cloud access security brokers, more specifically ones that allows for total protection of DATA, not just the device itself.

Chris Hines

 
Kelly22
100%
0%
Kelly22,
User Rank: Author
11/25/2014 | 4:28:42 PM
Re: Mobile risk
That's an interesting concept, Andrew. The BYOS strategy sounds beneficial for the protection of employees and their organizations. The more employees know about best security practices, the better they can protect the information on their devices.
Andrew Hoog
50%
50%
Andrew Hoog,
User Rank: Apprentice
11/25/2014 | 11:53:55 AM
Re: Mobile risk
Kelly,

I couldn't agree more. Education is critical. Additionally, the fact is that harmful apps can BE legitimate apps - they just haven't been properly vetted. We promote BYOS - Bring Your Own Security - where users are the ones providing the security. When users are educated and bought in to the security solutions, both BYOD employees and companies benefit.
Kelly22
100%
0%
Kelly22,
User Rank: Author
11/24/2014 | 1:51:47 PM
Mobile risk
Thanks, Andrew. Insurers really need to stay on top of their mobile security as more workplaces become BYOD. Untrustworthy mobile apps are a big source of trouble, and it's scary that harmful apps can look exactly like legitimate ones. Educating employees in best security practices will help protect both corporate data and their personal information.
Register for Insurance & Technology Newsletters
White Papers
Current Issue
Insurance & Technology Digital Issue
Innovation? Check. Core modernization? Check. Security? Check. Today's insurance IT challenges don't stump this year's Elite 8.
Slideshows
Video