Introduction and background
This blog provides an overview of mobile application security in financial services based on an in-depth study by Osterman Research and published in the Approov-sponsored report “The State of Mobile Application Security in 2022”, in July this year.
A second blog published today provides the same level of information and analysis on mobile application security in healthcare.
Building on the research published in the report, Osterman Research has released new findings on mobile app security by industry for healthcare and financial services.
The results reveal both the growing reliance of each industry on mobile apps and some industry gaps between the strategic importance of mobile apps and the attention and resources allocated to protecting mobile apps against threats. ‘execution.
The findings are based on a survey of 302 security managers and mobile app development professionals in the US and UK who identified themselves as employed in technology, financial services, health or “others”. The original report and a 30-minute video summarizing the results are available here.
All sectors have seen a massive and sudden migration to online services over the last 2 years and in general mobile applications have rapidly become business critical with their importance across all sectors having tripled over the past 2 years. years – they are expected to become even more essential by 2024 – 92% of respondents say they will be essential to the business by then.
Specificities of financial services
Financial services is a dynamic market that continually introduces new and innovative products and services to a growing mobile population. These new business models can sometimes be difficult to implement in a way that provides excellent customer service and completely secure interaction.
Much has been said about “bank-grade security,” but unfortunately, Osterman’s findings lead to the conclusion that the financial industry is showing a certain level of complacency when it comes to security.
This is concerning, as it could be said that this is the sector that has the most to lose in the event of a breach.
In financial services, Osterman found that the rating of mobile apps as critical to operations jumped five times in that sector over the 2-year period. In 2020, 15% of organizations considered mobile apps critical to business operations, but 81% of respondents said mobile apps were critical to business in 2020.
In the technology sector, on the other hand, mobile apps were considered essential to business operations in 2020 by 68% of respondents. In 2022, 86% of Tech respondents cited mobile apps as critical to their organization’s business.
Michael Sampson, Principal Analyst, Report Author, Principal Analyst at Osterman Research said:
“The tech vertical adopted mobile apps earlier, but over the past 2 years other verticals such as financial services and healthcare have struggled to catch up.”
A rapid pace of change in the criticality of mobile apps inevitably puts pressure on organizations to release new features to market, which is reflected in the bottom line.
In financial services, 46% of respondents said their organizations prioritize bringing new capabilities to market over addressing known insecurities.
Michael Sampson says, “This dynamic environment unfortunately seems to be leading to a situation where new features are prioritized over security. This is clearly seen in financial services, the most at-risk sector, where a high percentage of respondents indicated weak security practices.
There are particular security issues in financial services highlighted in the report:
- Nearly half (46%) of respondents in financial services believe they do not effectively communicate security policies to developers, compared to just 17% in technology and a statistically insignificant percentage in healthcare.
- The same number (46%) of financial services respondents believe their organization lacks the right levels of security skills, while only 12% of respondents report this issue in the technology sector.
- 77% of respondents in financial services had no visibility into data stolen from APIs by scripts using stolen API keys, more than 3x worse than the visibility into this issue reported in Tech.
- Another example is “fake account creation” where twice as many respondents in financial services reported poor visibility (69%) than in technology.
- 81% of financial services respondents said they had no visibility into the impact of false positives from security solutions on the customer experience. It was far more than Tech (44%) and Healthcare (63%). A cynic might suggest it’s because security deployments are limited.
The past few years have seen rapid innovation in financial services products and offerings, both from existing institutions and Fintech startups. However, findings from “The State of Mobile Application Security 2022” show that now, financial services firms need to tighten security before a major breach occurs.
Greater security discipline around development practices for building mobile apps and APIs is essential in this vertical, as is a comprehensive approach to protecting API keys and other secrets. Additionally, an enforcement security policy must be in place to protect the misuse of stolen credentials if and when they are stolen.
Learn more about Approov in Financial Services here and find out how a 30-day free trial would help you gain visibility into mobile app threats here.
*** This is a syndicated Security Bloggers Network blog from Approov Blog written by George McGregor. Read the original post at: https://blog.approov.io/the-state-of-mobile-app-security-in-2022-in-financial-services