How Credit Unions Can Safely Embrace Bring-Your-Own-Device
Bring Your Own Device programs, which allow employees to use their own smartphones and tablets in the work environment, are significantly changing information technology.
Credit unions and other financial service firms are among the organizations embracing BYOD, as it allows senior executives and employees to use for work and pleasure the mobile devices, service providers and operating platforms of their choice.
IT research firm Gartner Inc. predicts that by 2013, 80% of businesses will support a workforce using tablets, and by 2014, 90% of organizations will support corporate applications on personal devices.
While BYOD programs can save credit unions money and increase productivity, they can also present challenges to maintaining control over corporate data. If your credit union is evaluating a BYOD plan, consider security issues and industry regulations such as Payment Card Industry Data Security Standards or GLBA that could affect how employees may use their devices.
Before implementing BYOD, decide in advance on the types of devices employees will be allowed to use and the ways in which they will be allowed to use them. Consider how employees will need to connect to the corporate network – either via your co-op’s wireless network, a public wireless network, or the employee’s cell phone network – to track when employees are on the network and identify anomalous activity.
The IT department should assess the interoperability of the various devices that may be used by employees to ensure they can send and receive data without any negative impact to the co-op’s network. IT should know which types of phones support the virtual private network specifications required for a secure connection. IT should also be familiar with the security requirements for the devices and their operating systems, as well as with which applications are secure and approved for access on the devices.
Unapproved devices should be prohibited from accessing the corporate network. If an approved device has an unapproved application installed on it, that device should be prohibited from accessing the co-op network because some applications install malware, infecting the device. If an infected device is plugged into a USB port on a company computer, the computer could become infected, and ultimately, so could the co-op network.
An infected device doesn’t even have to connect to a corporate computer to affect its network. If an employee is sitting in the office and uses a personal device to connect to the co-op’s wireless network, the device could download business documents, avoiding firewalls and the co-op’s internet prevention/detection system, which both help prevent outsiders from getting in or out of the corporate network.
If any personal device is lost or stolen, the co-op’s confidential information might be found. And if an employee is using an infected personal laptop, it could infect other computers on the co-op network by uploading infected files or using network-based exploits. This is why full-time network security monitoring is so important, as it lets organizations see everything that attempts to go in and out of the co-op network.
IT managers may want to forbid the use of mobile platforms that are not compatible with your organization’s requirements and encourage users to choose from a list of approved mobile devices your IT management team supports. When employee-owned devices are managed by an employer, users usually experience only minor changes in the ways in which they use their devices for personal activities.
With so many types of mobile devices and operating systems in the market, it can be expensive and time consuming to manage and support everything available. If your credit union plans to allow an infinite number of devices, your IT team will need to become familiar with new platforms for information processing and keep pace with rapidly changing platforms.
One way to keep the benefits of BYOD from being eclipsed by support costs is by partnering with mobile device management service providers. It’s almost always cheaper to partner with an MDM provider than managing BYOD in-house. MDM vendors that monitor mobile devices 24/7 have the knowledge and staff to work with countless types of old and new devices and operating systems.
MDM vendors can assist with basic IT security issues such as password policy enforcement and remote device-wiping. Vendors can accommodate multiple platforms and address major requirements for device provisioning and configuration.
To address the countless policies, regulations, configurations, compliance risks and legal implications, it’s wise to work with an information security specialist up front to help design a BYOD program specifically tailored to the needs of your co-op and customers.
Don Jackson, CISSP, is a senior security researcher with the Counter Threat Unit Research Team at Dell SecureWorks in Atlanta.