Bring Your Own Device programs, which allow employees to usetheir own smartphones and tablets in the work environment, aresignificantly changing information technology.

Credit unions and other financial service firms are among theorganizations embracing BYOD, as it allows senior executives andemployees to use for work and pleasure the mobile devices, serviceproviders and operating platforms of their choice.

IT research firm Gartner Inc. predicts that by 2013, 80% ofbusinesses will support a workforce using tablets, and by 2014, 90%of organizations will support corporate applications on personaldevices.

Considerations

While BYOD programs can save credit unions money and increaseproductivity, they can also present challenges to maintainingcontrol over corporate data. If your credit union is evaluating aBYOD plan, consider security issues and industry regulations suchas Payment Card Industry Data Security Standards or GLBA that couldaffect how employees may use their devices.

Before implementing BYOD, decide in advance on the types ofdevices employees will be allowed to use and the ways in which theywill be allowed to use them. Consider how employees will need toconnect to the corporate network – either via your co-op's wirelessnetwork, a public wireless network, or the employee's cell phonenetwork – to track when employees are on the network and identifyanomalous activity.

The IT department should assess the interoperability of thevarious devices that may be used by employees to ensure they cansend and receive data without any negative impact to the co-op'snetwork. IT should know which types of phones support the virtualprivate network specifications required for a secure connection. ITshould also be familiar with the security requirements for thedevices and their operating systems, as well as with whichapplications are secure and approved for access on the devices.

Prohibitions

Unapproved devices should be prohibited from accessing thecorporate network. If an approved device has an unapprovedapplication installed on it, that device should be prohibited fromaccessing the co-op network because some applications installmalware, infecting the device. If an infected device is pluggedinto a USB port on a company computer, the computer could becomeinfected, and ultimately, so could the co-op network.

An infected device doesn't even have to connect to a corporatecomputer to affect its network. If an employee is sitting in theoffice and uses a personal device to connect to the co-op'swireless network, the device could download business documents,avoiding firewalls and the co-op's internet prevention/detectionsystem, which both help prevent outsiders from getting in or out ofthe corporate network.

If any personal device is lost or stolen, the co-op'sconfidential information might be found. And if an employee isusing an infected personal laptop, it could infect other computerson the co-op network by uploading infected files or usingnetwork-based exploits. This is why full-time network securitymonitoring is so important, as it lets organizations see everythingthat attempts to go in and out of the co-op network.

IT managers may want to forbid the use of mobile platforms thatare not compatible with your organization's requirements andencourage users to choose from a list of approved mobile devicesyour IT management team supports. When employee-owned devices aremanaged by an employer, users usually experience only minor changesin the ways in which they use their devices for personalactivities.

With so many types of mobile devices and operating systems inthe market, it can be expensive and time consuming to manage andsupport everything available. If your credit union plans toallow an infinite number of devices, your IT team will need tobecome familiar with new platforms for information processing andkeep pace with rapidly changing platforms.

Partnering

One way to keep the benefits of BYOD from being eclipsed bysupport costs is by partnering with mobile device managementservice providers. It's almost always cheaper to partner with anMDM provider than managing BYOD in-house. MDM vendors that monitormobile devices 24/7 have the knowledge and staff to work withcountless types of old and new devices and operating systems.

MDM vendors can assist with basic IT security issues such aspassword policy enforcement and remote device-wiping. Vendors canaccommodate multiple platforms and address major requirements fordevice provisioning and configuration.

To address the countless policies, regulations, configurations,compliance risks and legal implications, it's wise to work with aninformation security specialist up front to help design a BYODprogram specifically tailored to the needs of your co-op andcustomers.

Don Jackson, CISSP, is a senior security researcherwith the Counter Threat Unit Research Team atDell SecureWorks in Atlanta.