How Not to Stand Out: Start with Security in Mind

Threat actors are always looking for quick wins, and finance apps are particularly lucrative targets. Not only do these apps handle — and often store — sensitive financial data, they are very vulnerable if they have inadequate protections.

Standing out as an easy target can have a negative impact on customer adoption and retention. In fact, our research found that 40% of consumers who don’t use mobile payments cite security as their main concern. That’s why financial institutions should take measures to ensure their apps won’t stand out as a risk to potential customers.

With this post, we’ll discuss the business impact of poor mobile app security and why financial services organizations should shift security left, and embrace security throughout the app delivery lifecycle.

The Business Impact of Poor Mobile App Security

When financial institutions launch mobile apps with poor security measures in place, they’re putting their business at risk in a number of ways.

First, a security incident can have enormous financial and legal costs. For example, in a recent study of over 500 data breaches, IBM discovered that the average cost of an incident with a business in the finance industry was $5.85 million, well above the $3.86 average cost across all industries. In addition, the greatest increase in overall data breach costs occurred in the finance, healthcare, and retail industries.

Financial institutions also have strict industry regulations they must adhere to, including PCI compliance, SOC 2, PSD2, and other compliance guidelines. Failure to comply with these regulations could result in legal fees and fines at best, and a negative impact on the financial institution’s reputation at worst.

The potential loss of reputation from a security incident can have a direct impact on customer adoption and retention. Since it’s now easier than ever for customers to move their money from one institution to another, financial services organizations need to foster a sense of trust when it comes to security and consumer privacy to retain customers long-term.

Finally, the theft of intellectual property and leaking of new features can result in financial institutions losing their competitive edge. While time-to-market for new features is important, inadequate security measures could allow malicious actors to negatively impact their release by distributing app clones. This is particularly costly for fintech startups that lean on their speed of innovation to effectively compete with larger financial institutions.

Why Financial Institutions Need to Shift Security Left

While many financial institutions see security as a tradeoff with time-to-market, especially as the pandemic fueled the use of mobile finance apps, it doesn’t have to be. Through the adoption of DevSecOps and shifting security left, organizations can balance development velocity and the user experience with strong mobile app security.

DevSecOps is an approach to application delivery where security measures are integrated directly into the development process. A key aspect of DevSecOps is shifting security left, or implementing automated tools earlier in the development process to reduce the costs and effort involved with mobile application security. This enables development teams to continue delivering mobile applications rapidly without compromising on security.

Since security isn’t a one-off solution, proactively adding security to the development process, rather than just pentesting afterward, is more effective in the long run. That’s because the remediation of security issues is far more costly the longer a development team postpones them. By enabling developers to fix potential security issues in the context of the work they’re currently doing, financial institutions can immediately improve the security posture of their mobile applications.

Start with Mobile App Security

As we’ve discussed in the past, launching a finance app with security in mind is the best way to build consumer trust, and, in turn, ensure greater customer adoption. More importantly, shifting security left and implementing effective app security from the beginning will encourage malicious actors to think again before targeting your app.

In short, if financial institutions consider security before the app is published, they can implement adequate app protections before it’s too late, and the negative business impacts we’ve discussed become a reality. With the right tooling, adopting shifting left doesn’t need to be difficult.

Guardsquare’s developer-friendly mobile security suite fits seamlessly into existing developer workflows. This enables a DevSecOps approach for delivering innovative finance apps with multiple layers of security from the start. Using Guardsquare, financial institutions won’t stand out as targets, but will instead foster strong reputations for security.