BYOD Challenges Ahead for Credit Unions
Maintaining a secure and stable information technology environment in one of the most heavily regulated and audited industries is a significant challenge. So when segments within the financial services sector are presented with new technologies that have the potential to transform how their services are delivered to consumers, businesses andemployees, it takes a great deal of cautioned planning to ensure that nothing iscompromised.
Mobile technology presents a tremendous opportunity for credit unions because it allows them to connect to their customers and employees 24/7. The pressure to deliver new mobile services, beyond mobile web, to financial customers is stressful and very competitive.
The pressure to enable employees to use their “always on” mobile device is just as intense. For employees, the capability to gain access to information remotely from their mobile device delivers a new efficiency and level of awareness that they have not previously enjoyed. For the business, it means the ability to work outside of the standard business hours, improve satisfaction amongst employees as well as increase the speed of doing business.
Two deployment models have arisen: Corporately Owned, Personally Enabled, and Bring Your Own Device. While COPE provides a degree of control through ownership, it also imposes capital and operational costs and limits device choice that can be avoided by adopting a BYOD strategy. Bring Your Own Device, on the other hand increases the concerns over employee privacy, corporate security and information control.
Both models introduce new IT and information security challenges for the delivery of information services across new networks, new protocols and new endpoint devices. While years of analysis and planning have gone into the decisions behind the purchase of the traditional IT systems, these mobile devices and the vendors that deliver mobile solutions are merely a few years old. Few of these systems have matured through the versioning necessary to achieve the functionality and robustness demanded of financial systems.
Yet, mobility presents such a compelling opportunity that many industries including the financial services industry are overlooking some of the short-term weaknesses, much to the chagrin of IT departments, in order to take part in the mobile bonanza and to avoid being left behind while customers, and even employees, shift their loyalties.
IT departments no longer have the degree of decision-making control that they once had. When it comes to mobile devices, the employee has far greater decision-making influence than ever before. Major device OEMs now understand that the consumer is their channel to the enterprise IT department and are marketing their solutions directly to this segment. IT is now in the position of responding rapidly to the demands of the employee and maintaining the level of service and security of the traditional system.
IT departments must now integrate these disparate mobile systems into their existing infrastructure and processes as well as understand and maintain logical partitions between corporate data and personal data. Additionally, IT must deploy client-side software to defend against whatever employees choose to download onto their devices, and track these devices in order to recover them if lost or lock them and potentially wipe the devices of any corporate data.
Affecting the management practicality of these devices is the fact they these devices were not designed to deliver multi-persona, logically partitioned information. Most devices share storage and memory amongst all of the apps and data on them. What is needed is a means:
- to isolate the employee apps and data from those of the corporation,
- to specify and manage the corporate apps and data to the level of restriction and control demanded of all the other corporate IT systems,
- to permit the device owner to enjoy all the benefits of their device without restriction or oversight over their personal data,
- to allow the corporation to remove corporate data from a device if it is lost, stolen or leaves the company,
- to allow the device owners to do more than just work and play with the device:
- to allow them to isolate their banking apps from their children’s games;
- to allow them to create a guest on their device for sharing;
- to create a quarantine area on their device for downloads that they are unsure of;
- to restrict nosy apps from snooping or swiping their contact list or taking advantage of the ridiculous permissions that most apps require by eliminating any potential security holes,
- to make BYOD the viable model that it promises by providing devices and systems that support the requirements of both the corporation and the employee.
It will take several more highly publicized security or privacy incidents to force mobile solutions to achieve the level of trust demanded by the financial services industry before any significant information-access services are made available to employees.
Until that time a lot of faith will be placed in VPN and anti-malware products, as well as the constraints in the right-to-use policies that most employees must now sign up for, to protect apps and data on mobile devices while in the hands of employees.