By now, I am sure you have heard the debate between Apple and the FBI. As a refresher, the FBI possesses the iPhone of one of the San Bernardino terrorists. To assist with the investigation, the FBI has requested that Apple create a "backdoor" in their operating system to prevent the phone from wiping itself after a certain number of password attempts.The controversy surrounding this request is vast.
More Privacy Equals Less Security
One faction of the dispute argues that if Apple wins, we could maintain personal privacy at the cost of our national security. Due to a letter released by Apple on February 16, this conversation is not happening behind closed doors. The world is now watching to see what happens. If hackers know Apple is going to protect their information from the government, there is more reason for them to use Apple devices as tools to achieve their ulterior objectives. A ruling in Apple's favor would set a precedent that personal privacy trumps government security.
More Security Equals Less Privacy
The opposite side argues that if the FBI wins, a backdoor created can never be undone. In the hands of hackers or, dare I say, cyberterrorists, this backdoor could allow access to information on hundreds of millions of devices. The devices our customers use to sign into online banking apps are the same devices that would have an intentional exploitable backdoor. A ruling in the FBI's favor would set a precedent in which government security overrides personal privacy, and we could expect to see more of these doors opened in the future.
Who Wins?
There are no winners in this duel. If Team Apple wins, our threat landscape increases. If Team FBI wins, our threat landscape still increases. There will be fallout, regardless of the outcome.
Financial institutions unfortunately fall right into the middle of the crossfire. We could spend time arguing about individual privacy vs. national security, but we can better utilize our time and resources enhancing our own cybersecurity to protect our customers' sensitive information.
Your Information Security Program should already contain the keys to your metaphorical fallout shelter. Here are some things you should inventory as you prepare for whatever the future may bring:
Review Your Risk Assessments.
Your information security, internet banking, and other mobile device assessments should already incorporate applicable threats. These types of threats include digital threats, such as exploitation by external attackers or guessed passwords. They also include physical threats, like lost or stolen devices or improper disposal of old phones. The next time you hold your phone, ask yourself, "What could go wrong?" and then explore the answers you discover with your security committee.
Review Your Policies.
You should have policies in place to define what your employees can and cannot do with their mobile devices. This includes not storing or accessing customer sensitive information on their devices, giving you permission to perform a remote wipe, establishing whether mobile devices are allowed on the company network, and more. Your policies are going to be the backbone for your controls.
Review Your Controls.
Controls are the practical application of your policies. The FFIEC's recent Cybersecurity Assessment Tool highlighted "Cybersecurity Controls" pertaining to mobile devices, such as quarantining unpatched devices or integrity scanning. It may also be helpful to enhance your customer education resources, as it relates to mobile devices and mobile banking security. There are always things we can do to better reduce risk.
Review Your Business Continuity and Incident Response Plans.
If all else fails, plans and procedures should be in place to assist with the fallout. When a threat comes to fruition for your institution, document the details so you're better prepared for the next one. Valuable information to document includes: the source of the incident, any affected systems, and what actions you took to remediate the situation.
To quote an old adage, "Luck favors the prepared." It is difficult to determine the future and by the time you read this article, we may already know how this story ends. Whatever the case, it's time to take inventory again. Think about what has transpired and apply it to your Information Security Program. May your security and privacy find harmony, if not equality.
