“BYOD” quandary

On the surface, it seems like a no-brainer. Why not let your commercial lender use her own electronic tablet to efficiently enable deals with the bank, especially if the tablet is much more capable than anything the bank provides?

Under the surface, according to security and technology professionals, such a scenario is certainly a no-brainer—but in a brainless sense. Consider the risks stemming from the loss, unauthorized use, and/or viral infection of such devices: compromise of confidential information; litigation; damaged reputation; findings of noncompliance by examiners; and more.

Nevertheless, “bring your own device”—BYOD—has established itself as a growing business trend in general, and is seeping into the banking industry. Late last year, Accenture issued a global study that found one in four employees worldwide regularly use personal electronic consumer devices and applications for work-related activities, and 27% said they’d be prepared to pay for their own devices to use at work—despite employers’ concerns about security and IT protocol.

Numbers pertaining strictly to U.S. financial institutions aren’t available, but, anecdotally, industry technology providers see similarities. “There’s no shortage of banks, even our customers, wanting to introduce these newer devices into their organizations,” says Curt Frierson, chief technology officer for Safe Systems. “People are no longer settling for the fact that they have access to better technology in their private life than they do in their professional life … Now that they have access to these great new solutions, they’re basically not allowing compliance or an information security policy to be a barrier to utilizing this for their business.”

This is ironic, but Frierson’s colleague at Safe Systems, Tom Hinkel, director of compliance, agrees. “A few years ago, technology service providers, which we are for banks, were leading the push for new technology. The role is reversed now. We have financial institutions coming to us and saying they want to deploy all these cool devices, and we’re the ones putting the brakes on things.”

The security challenges

Two broad issues should concern bank management before BYOD comes through the lobby doors: basic security and regulatory compliance. If compromised, there could be dire consequences.

CompTIA, a trade association for the information technology industry, says in a new study that security considerations are the greatest risk involved in supporting mobility. The top challenges IT staff face, according to the study, are the downloading of unauthorized applications, lost or stolen devices, and mobile-specific viruses and malware. “Issues such as mobile device management and mobile security are really in the beginning stages,” says Seth Robinson, director of technology analysis at CompTIA. “Are you going to allow employees to bring their own mobile devices into the workplace? Which devices will you support? Organizations will have to strike a balance between business objectives and security objectives, which may not always be in sync.”

“If you think about the job of the security people..., their job was difficult enough when they had to maintain the security of their own devices, keeping track of software packages, patches, and various things. Now, you bring in the mix of anything you want into the workplace; it grows exponentially,” says Nicholas Percoco, senior vice-president at Trustwave, an information security company endorsed by ABA’s Corporation for American Banking.

Jeff Smith, chairman and CEO of Ohio Valley Bank, Gallipolis, says: “The thing that worries me more than anything else is … a customer calling me in the middle of the night and saying that somebody had obtained their account number and they know what their balance is. That’s a real reputational risk. It’s hard to rebuild after something like that occurs.”

For that reason, the bank looked into the pros and cons of allowing personal devices into the workplace. It decided only to allow Blackberrys that meet strict criteria set by the federal National Institute of Standards and Technology, and then to only allow access to company email. That’s it. No tablets, non-Blackberry smartphones, or anything else.

“Once we made the determination that if it’s minimally acceptable for government use, that’s the level that we have decided [is right] for us as an organization; that’s the level of security we want for our customer data,” says Gabriel Stewart, chief information security officer for Ohio Valley Bank.

Similarly, Oklahoma’s First Bethany Bank places strict limits on staff use of new technology, even as the bank seeks to find and embrace the best innovations for business.

“We struggled with this. This is something that we gave a lot of thought to. We issued [some of] our officers iPads … because we have a new mobile banking product. We wanted the officers to understand the product [in order to help customers sign up],” says Jane Haskin, president and CEO.

Again, though, that’s it. No nonbank-owned devices are allowed to do bank work, let alone connect in any way to the bank’s data systems. Even with these limited and highly controlled bank-owned devices, extraordinary security precautions are taken. “Our folks with these devices actually don’t touch our network per se,” says Gary Welsh, director of IT at First Bethany Bank. “What we did was establish a wireless access point.... It is segregated completely from our internal bank network. There is no viewing of files, no accessing any of the data that’s resident on the file server, our core processor. The one thing we did open was email.”

“Show me your mobile policy”

As if security concerns aren’t dire enough, consider the compliance ramifications, particularly those of the rules engendered by the Gramm-Leach-Bliley Act. “GLBA requires banks to have and maintain an information security program, a comprehensive plan that describes exactly how they are going to protect confidential information,” says Safe Systems’ Hinkel. “When an examiner comes in, he or she is going to look at your overall program and look at all the devices you have under the policy. They’re going to say, ‘We see where your patches are being applied to your desktops and your servers. Show me where this patch policy is being applied to your mobile devices.’”

The trouble is, says Trustwave’s Percoco, “Users will have devices that they may or may not be able to get security patches for. Someone could get a device from a carrier that’s free with a sign up of a plan, but within a year or so, that device is no longer supported.”

Ohio Valley Bank’s Stewart also points out: “Part of Gramm-Leach-Bliley is we have to have adequate training by the IT staff. So if we don’t have certain standards of what we will support, we fall out of compliance there, or we’re going to have to train people on every hardware platform that may come into the bank.”

Which also is why First Bethany Bank is taking a cautious approach. “The examiners have not yet seen this in our environment. I did not want to run the risk of having a wide-open wireless, accessible, bring-your-own-device environment without the examiners having some review process,” says Welsh.

Management is responsible for getting staff on board, which may not be easy. Says Trustwave’s Percoco: “From an employee’s standpoint, when a company says, ‘If you want to use a device, I want to install device management on it to be able to see what the status of that device is,’ many times the employee’s first reaction is that the company wants to be Big Brother and wants to know what I am doing.”

Ohio Valley Bank instituted an awareness program and implemented it in phases to educate staff. Pass codes controlled by the bank, in addition to passwords and user IDs that staff might use on devices, also are strictly enforced at the bank.

Some technological solutions are available to prevent unauthorized devices from accessing bank systems. Evaluate these carefully against the bank’s strategic objectives, though, says Safe Systems’ Frierson, because their cost may be as much as would be gained through increased productivity.

Perhaps the most straightforward way to reach common ground with employees on this issue is for the bank to distribute up-to-date tools itself. “If there is a business case for us to use a particular type of device, we would evaluate it and make the decision to utilize it as a bank, and not depend on an employee to bring their own device,” says Gabriel Stewart.

Similarly, Jane Haskin says, “[If there’s] a device that the employee can show would help them do their job, then we want to provide the equipment they need to do their job efficiently.”

In any case, BYOD is an issue that is not going away. Says Accenture’s Jeanne Harris: “Employees are surprisingly willing to pay in order to use the technologies they love, at work, and as a result, they are going to use them, with or without their company’s approval.”