What kind of financial windfall would it take to put you into the 1% — to enable you to leave your job, climb aboard your yacht, and eat avocado toast for breakfast, lunch, and dinner? The answer to that question varies depending on your location: in India it would be a relatively paltry $81K per year, in France it would be a more significant $215K, and in the United Arab Emirates it would escalate into a seemingly prohibitive $891K per year (pretax, for those of you doing the math at home.)
While membership in this elite club is not achievable for most of us, it is still possible to become a top-tier member of a different group: the 3%. This select group is not measured by how many homes they have nor by their investment portfolio, but rather by how well they steward the resources of others that have been entrusted to them.
A recent report published by Arxan Technologies examined 30 different financial services apps available on the Google Play store and found very few that provided adequate security for their users. Despite the fact that these were supplied by financial institutions, for whom trust is essential for their business, application security was surprising found wanting.
The issues discovered were wide-ranging. Forty-three percent of apps were vulnerable to attacks that can run code on the mobile device itself injected into the app as it ran — allowing adversaries to run their own code as the logged-in user. Eighty percent of the apps used relatively weak encryption, creating an easy attack vector for malicious actors to pilfer sensitive data embedded in and used by these apps. Eighty-three percent of the apps chose to store sensitive data in the device’s file system, in external storage or on the clipboard — which circumvents any access restrictions that the app might normally enforce. This allows any anonymous user (or other app) to access sensitive data that should have been protected. The most common issue, however, was the lack of binary protection for these financial apps to prevent reverse engineering. This means that attackers could take the applications and decompile them to examine their source code; this allows for the discovery of other vulnerabilities to exploit along with the exposure of any sensitive data hard-coded within the app itself. This final issue automatically reduced the number of apps without issues to a grand total of 3%.
Only 3% of financial apps within this study delivered a secure experience for their users, demonstrating that these financial institutions could be trusted to handle their customers’ data and finances responsibly. This, of course, is the 3% that all financial institutions should aspire to belong to; with each passing headline, customers are realizing the importance of choosing financial providers who have invested in proper security controls to protect their interests.
Studies such as this one call attention to the fact that with each passing day, it becomes more apparent that security cannot be an afterthought for today’s businesses. It must be a mindset that pervades all aspects of the organization, from establishing an identity program to provide access and ensure compliance with regulation, to having access to sensitive resources enforced in depth, to ensuring, as this report highlights, the need to have application security be at the forefront of every software architect and developer so that the applications and software that represent a financial institution to the world communicates responsible handling of important customer assets and data.
Organizations take security lightly at their own peril, putting the relationship with customers at unnecessary risk and find themselves living below what one analyst called “the Security Poverty Line.” Financial institutions wanting to thrive in today’s business environment must invest a coherent security program, delivering a secure, trustworthy interaction for clients — which will elevate them into that rarefied air of the 3%.
This post originally appeared in Finextra.