Thomas DoironThomas Doiron, Sr. Account Manager

Bring your own device (BYOD) has been established and is growing within the financial institution sector.  In fact, Accenture reported last year that one in four employees regularly used personal consumer devices and applications for work activities. Even more, 27% agreed to pay for these devices despite the employers’ concerns about security and protocol[1].  So why not let your loan officer use their personal mobile device to meet with prospects and close deals for the institution?  The GLBA requires institutions to have an information security program that describes how to protect non-public information.  Unless you go through the necessary steps to protect your institution from the loss of compromised confidential data, this strategy would unfold itself either from the negative incident response, litigation, damaged reputation, or noncompliance findings from examiners.

First, let’s review the regulatory aspect and concern for BYOD.   Many financial institutions choose to implement mobile devices because it advances the goals and purpose of the overall business strategic plan.   Because of this new consideration, a cost benefit analysis will first need to be completed which will reinforce the decision to implement. Also, a risk assessment will need to be reviewed for the overall new technology that will identify any potential risk exposure from unauthorized disclosure of non-public or customer information.

Second, implementing proper controls and best practices in the management of BYOD is also becoming a challenge within regulatory compliance.  At first thought, it appears you could extend the institution’s existing policy to include mobile devices since the operation of how data is processed, transmitted, and stored on a mobile device and a computer are similar. However, this doesn’t necessarily work because the risks are greater due to the difficulty in controlling the devices. Because of this factor, a separate policy should be considered while employees sign off on proper usage. The Board will also need to approve the overall new policy. Additionally, the employee should also have signed off on a mobile wipe policy.  This provides the institution the ability to wipe a device if the device is lost, stolen or if the employee is terminated.

The ability to wipe a device has become problematic due to the fact that unless the institution is using Mobile Device Management (MDM), the entire mobile device is wiped resulting in factory reset. This would delete all videos, pictures, and voicemails from the employee’s personal mobile device.  The Guidance, NIST Special Publication 800-124 entitled “Guidelines for Managing and Securing Mobile Devices in the Enterprise” states that for employee-owned  devices (BYOD) organizations should recover them, restore them to a known good state, and fully secure them before returning them to their users. Due to this situation, institutions are either forced with providing a separate mobile device for business use only or explore other technology controls like MDM.

For more information regarding a BYOD policy, I recommend reading the Compliance Guru’s article BYOD Redux – The Policy Solution (Part 2).

Lastly, the security struggles that financial institution IT administrators have on these devices include lost or stolen devices, downloading of unauthorized applications, mobile viruses, malware, termination and resignation – all this results in the necessary removal of nonpublic information.  Today there are growing solutions that help reduce the security risk while providing regulatory oversight for managing them.  MDM provides the following benefits to control and manage mobile devices.

  1. Reporting and audit options
  2. Remote configuration for email and wifi profiles
  3. Ability to limit devices or types of devices
  4. Application control – White List/Black List
  5. Device inventory
  6. Software inventory
  7. GPS tracking
  8. Backup options
  9. Enterprise Wipe clears only email profiles, apps, and wifi profiles
  10. Remote lock
  11. Ability to apply policies– Able to disable functions of the phone e.g. camera, YouTube, Safari, and iTunes App Store.
  12. Passcodes: MDM will allow you to audit whether or not the policy is actually being applied
  13. Ability to lockdown roaming and data usage
  14. Ability to push messages to the device

BYOD concerns aren’t going away.  Employees are paying for these devices to use their technology for personal and business work as seen in the industry regardless of the institution’s approval.  So when it comes to BYOD you basically have two choices; you can properly manage the devices and the risks consistent with your other computing devices or you can recognize that they represent a deviation from your risk management policies and get Board approval for the exception. And if you choose to classify them as policy exceptions, you should be prepared to explain the potential impact of the higher risk to the organization, and exactly how the higher risk is justified while adopting management oversight.


[1] Rising Use of Consumer Technology in the Workplace Forcing IT Departments to Respond, Accenture Research Finds

Write a Comment