Threat of the Week: When BYOD Gets Ugly

The numbers explode off the page. In a survey of financial services professionals, Workshare – a developer of collaboration tools – found that 89% of financial professionals use their personal devices for work, often directly ignoring employer bans on consumer file sharing tools.

“IT is no longer a control mechanism,” said Ali Moinuddin, Workshare's CMO, in an interview. He ominously added, “Once the data is on the personal device, the company has lost control.”

What this means is that, very probably, in your credit union many employees are carrying around highly sensitive information on their personal smartphones. This could include member Social Security numbers, employee reviews, maybe mortgage applications that are pending review.

Don't expect that information proliferation to end soon. Some institutions have tackled the problem and below is the story of how at least one credit union has tamed this monster by putting into place policies that work both for the institution and its employees.

That's the exception however.

Feast on how bad this situation has gotten. Research from network security company Fortinet found “51% (of surveyed employees) stated they would contravene any policy in place banning the use of personal devices at work or for work purposes.”

Read that again. Even if they are ordered not to access credit union information on their personal phone or tablet computer, these respondents say they will go ahead and do as they wish.

A survey by Check Point Software Technologies found similar, with 63% of responding IT executives admitting they did not even try to limit the ability of employees to access company data.

“The challenge of securing mobile devices has become increasingly overwhelming for IT departments including those at credit unions. Despite the major risk of breaches and losses, the data on many employee-owned devices is not being managed and policies (if they exist) are not being enforced by employers,” said Jim Rivas, a Check Point Software Technologies spokesperson.

Little by little, however, that is starting to change as some institutions face up to the fact that they have to find effective ways to manage the business data on an employee's personal device.

A case in point is Amoco Federal Credit Union, a $623 million institution in Texas City, Texas, which, over the last year, has taken large steps to gain control over the credit union data that resides on employees' personal devices, said Thomas Green, vice president of information technology.

This journey started a year ago when an NCUA examiner asked what the institution was doing to secure mobile devices. It was the first time he was asked that question, said Green, and the answer was that Amoco FCU had in place sophisticated controls on several dozen iPads that had been issued to board members and some managers.

But it had essentially no controls on employee-owned devices, Green acknowledged to the examiner.

The examiner indicated this could be a problem, not necessarily this year, but in future exams.

Afterwards, Green took the examiner's concerns to the CEO and the decision was made to implement MDM (mobile device management) tools on some 30+ iPhones and Androids that are employee-owned but used to access work-related information. The particular tool selected lets Amoco FCU create a segregated space on the smartphone where credit union information and apps reside.

Green said the tool proved its worth when an employee was separated from the credit union – involuntarily and amid unpleasantness – and yet Amoco FCU could easily, and remotely, wipe its data on her phone without touching a single personal photo or email or calendar entry. “That worked out beautifully,” said Green.

If a device is lost or stolen, it's easy to do a wipe, added Green.

Bottom line: At Amoco FCU, the credit union now feels secure that, even when an employee is using a personal device to access credit union owned information, the institution retains considerable control.

For Green, that means he believes the institution – and its member data – are a lot safer than they were a year ago and it happened because, clearly, it had become time to take action, said Green.