By Missy Oliver, CoNetrix
We all love our mobile devices. If you look around in any restaurant, walking down the street, even while driving (not a safe idea), you will see people glued to their mobile phones. In the past few years, the line has blurred between our personal mobile devices and business devices. Especially now, as a large part of the workforce is working from home due to the COVID-19 pandemic, personal mobile device use is the norm for millions of people. We must be prepared that many employees may want to continue using their personal mobile devices as they transition back to the workplace.
The mobile technology environment makes work more accessible and functional than ever before. Our mobile devices — including laptops, tablets and smartphones — are highly transportable, making ubiquitous access to work data a simple task. Not only that, but most of our devices have our preferences saved, making them more comfortable to use. According to a recent survey by Dell, 61% of Gen-Y and 50% of 30+ workers believe that their personal technology tools are more effective and productive than those used in their work life.
We call this phenomenon BYOD — Bring Your Own Device. BYOD has both positive and negative aspects. Efficiency and productivity are increased due to employee comfort and proficiency with their own devices; however, the introduction of mobile devices to your secure bank network can put your bank in a vulnerable security position. When you consider the number of employee-owned smartphones in use and add in the growing number of mobile laptops now utilized by banks, you begin to grasp the sheer amount of sensitive data walking around in the world every day. Dangers posed by malicious applications, viruses and hacking suddenly become a much more viable threat. So, for your bank, the question becomes, “How do we incorporate mobile device use in our bank environment and still protect our bank and customer information?”
Risk Management
Risk management is a well-known concept for banks. As a bank, you are always weighing the risk of any program, asset, or action against the benefit. Managing the risk of mobile devices and BYOD is no different. Determining the risks and developing your controls relating to mobile devices will produce the most successful marriage of convenience and security.
Policies
Written policies can provide specific mobile device and BYOD requirements and reinforce security expectations to your employees. Best practices, employee restrictions and even legal issues should all be included in your policy. The following are best practices that should be incorporated in your Mobile Device/BYOD policy:
- Strong and unique passwords
- Locking devices with biometric controls
- Data encryption
- Bluetooth and wi-fi features disabled except when in use
- Bluetooth set to non-discoverable
- Security software installation
- Data wiping
- Reporting lost or stolen devices
- Multifactor authentication
- Operating and security software updating
- Termination provisions
EMM and MDM
Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) solutions can assist and enforce security policies, such as identity management and authentication procedures.
Secure Network
Utilizing a secure gateway, such as a VPN, when accessing sensitive bank information from unsecured locations outside of the bank firewall, provides another crucial layer of security. The encrypted connection helps ensure that sensitive data is safely transmitted. You can even limit what bank information is accessible from a home network to protect bank and customer information.
Training
Employee training allows you to communicate your expectations for what your employees should and should not do with their devices. Require periodic training on the bank’s mobile device/BYOD policy to provide your employees with up-to-date information and relay the bank’s emphasis on the security need for the devices. The frequency of training also reminds the employees of any aspects of security they may have forgotten and reinforces the overall importance of security. Training can incorporate policies, as well as best practices such as:
- Using caution when opening email and text message attachments
- Avoiding joining unknown wi-fi networks, especially public networks
- Maintaining social awareness when utilizing mobile devices in public places
Mobile device/BYOD use is a common corporate practice in our world, and the banking industry is no different. Good planning allows banks to enjoy increased employee productivity and manage risk. Considering those risks and creating multilayer controls can empower your bank and its employees to incorporate mobile device/BYOD use, protect your bank and customer data, and still be confident in your security posture.
Missy Oliver works at CoNetrix as a compliance and security consultant with seven years of technical and security experience in the educational and financial sectors. She has a B.A. in Advertising/Public Relations from Texas Tech University. She assists with the creation, customization, and maintenance of information security programs, facility in security programs, facilitation in the security committee meetings, and Cybersecurity Assessment Tool board training.
This story appears in Issue 5 2020 of The Kansas Banker Magazine.