The evolving mobile landscape, including the bring-your-own-device trend, is requiring banking institutions to be mindful of emerging risks, says Jim Pitts, who oversees mobile financial services and vendor management for BITS, the technology policy division of The Financial Services Roundtable. Pitts says financial institutions are more at risk when it comes to mobile services and practices than many other sectors because of the types of transactions and sensitive information they manage.
When it comes to their BYOD policies, banks must address data loss prevention, application security and exposure liability management, he says in an interview with Information Security Media Group [transcript below].
Recently, BITS issued BYOD and mobile best practices for its member banks. Among those best practices, Pitts explains in the interview, are:
- Entering detailed BYOD agreements with employees;
- Updating legal reviews to ensure BYOD policies address emerging privacy laws;
- Documenting network points employees can access with mobile devices.
Pitts also discusses:
- Legal considerations surrounding BYOD policies;
- Setting limits and restrictions on how and when employees can use mobile devices to access big data;
- The authentication advantages of mobile devices.
Pitts has been project manager for BITS since March 2010. In addition to managing technology-centric projects, special interest groups and other initiatives, he focuses on mobile and vendor-management issues. Pitts is the author and producer of the "Surfing Payment Channels" book series focused on emerging payments technology and associated security and fraud issues.
BYOD Best Practices
TRACY KITTEN: BYOD, or bring-your-own-device, is not a new topic. Why is BITS issuing best practices now?
JIM PITTS: Specifically, we're taking another look at BYOD because of the proliferation of mobile devices in the work place. We're looking at BYOD that has been impacted by mobile technology.
KITTEN: Have new concerns recently emerged?
PITTS: Certainly the proliferation of mobile, as I mentioned. Technology is constantly changing. Security concerns are constantly changing. ... But specifically for this exercise, we were concerned about making sure we had mobile aspects covered and also the impacts that we're seeing from a new generation of workforce [members who] rely heavily on their mobile devices, and a lot of them prefer to use their own.
KITTEN: Do banking institutions feel that they might be behind other industries, where BYOD best practices are concerned?
PITTS: No. I would say just the opposite. It's a necessity that we stay out ahead of the curve, and I think we are ahead of the curve relative to BYOD and we're trying to stay ahead of it relative to the implications of some of the new mobile technologies. But I think the bottom line is you can't just look at BYOD once and let it go static. You've got to continually relook, update and keep up with all the changes going on.
Staying Ahead of the Curve
KITTEN: Are there any specific worries that you're hearing from banking institutions about mobile and BYOD?
PITTS: I'll say, by necessity, we've got to stay ahead of the curve. The adoption of mobile financial services in the U.S. is lagging behind the rest of the globe. That's primarily because people are highly confident in the payment systems that exist in the U.S., and there's not been the leapfrog opportunity, necessarily, in the U.S. for mobile financial services that you've seen in other markets. A couple of things are going on. We have an opportunity to watch the learning curve of the rest of the world, the folks that have gone to mobile because quite frankly their previous technology just didn't work and we're watching as they learn what the security risks are and what the challenges are. We're applying that because as adoption increases in the U.S., we're going to need to know all of that detail. Like I said, we're dedicated to actually staying ahead of the curve and not getting behind it.
KITTEN: BITS recently conducted a survey about mobile and BYOD. When was this survey conducted?
PITTS: It was actually a couple of surveys, running tandem, and we wrapped those up in December as part of our overall look at BYOD for mobile. The members wanted to do some information sharing comparatively to see where the top institutions in the U.S. stood relative to best practices around mobile security, which was one of the surveys, and then also BYOD policy for mobile. We conducted a couple of surveys and the point was to share some of our best ideas and take advantage of learning from each other.
KITTEN: Beyond mobile, what other areas were highlighted in these surveys?
PITTS: Security practices were the main focus of one survey, all specific to mobile, and we were looking at the concerns. We were looking at some of the practices, which are literally procedural practices, and then we were also looking at some of the better technology that's out there, and what our members are latching on to, to mitigate the threats they're concerned about. On the policy side, we had to review company rights relative to maintaining good security in a BYOD world, and again we are BYOD mobile-focused. We had to look at practices, employee rights and what their behaviors were like, and with all of that we had to focus clearly on technology and security. There are also some financial aspects. There are different ways these programs were being financed. In some cases, it's a shared financing of gear that's ultimately the employee's gear, and then, because of the nature of our industry and the world, there are lots of legal concerns as legal issues are constantly evolving, especially since this is a little bit of a new area.
Top Risk Areas
KITTEN: What risk areas are highlighted?
PITTS: Data loss was a prime concern to us ... but there are other areas of concern. Application security is a big deal with mobile, liability and legal issues as we talked about, and the new complexity of so many devices out there as endpoints or entry points accessing the system. Top of mind with mobile specifically is the lost or stolen device issue relative to it being an attractive piece of technology that's mobile and also could be left somewhere or perhaps easily taken.
But back to data loss, which of course was our key area of focus, we, in fact, were looking at data loss through the malware on mobile devices as one of our top priorities - data loss due to interrogation of the lost or stolen device, which I just mentioned, but also data loss due to the synchronization of mobile devices with cloud services and other unique and fairly new technology that's out there that's melding together in different ways; and then also data loss relative to transmission to and from the mobile device. Finally, we've always got to be concerned about the constant threat of potential intruders.
BYOD Challenges for Banks
KITTEN: What challenges would you say BYOD is posing for banking institutions that it doesn't pose for other industries?
PITTS: By the nature of what we do, the data is important. The data is associated with dollars, actual dollars and cents. We know that we're also, as an industry, a top cybertarget. All of those are factors driving our, I'll call it, obsession with security and things that we have to be concerned about when we're talking about employees that bring their own mobile devices. Our perspective is it is necessary that we have a goal of zero failure and we work toward that goal every day.
KITTEN: Would you say that the way we define BYOD has changed?
PITTS: I definitely think it's changing all the time, and for that reason, I would say never rest on your laurels. Always constantly review your mobile or your BYOD policies, but especially now the mobile policies because mobile is part of that moving target that's moving with a new velocity. The velocity of change with mobile technology is geometrically many times faster than we experience with basically Internet technology over the last decade. It's definitely a moving target. The other piece is that the legal issues are rapidly evolving and the velocity there is going to increase tremendously too. Also, because of the big data this touches, there are some huge challenges with managing e-disclosure and things like that.
KITTEN: Can you tell us specifically what some of BITS' recommended best practices are?
PITTS: One of the areas that requires a lot of focus is managing the employees, especially in the complicated world of bring-your-own-device. A lot of that is done by restricting access or restricting functionality relative to when it is okay to use a personal device. Things that have to be considered are also where you are and what kind of network are you on. Are you on the office network, which is easier to manage? Are you at home on your private network or at you at Starbucks on a public network? In all cases, you've got to establish security assurance levels that work for those circumstances. Part of that means I'll access or restrict access based on the functionality the employee is trying to access on their mobile device. Basic e-mail might be available in all cases, whereas accessing secure files and things like that may be restricted to the office network.
The way you do this is strong technology, and there are a lot of mobile-specific technologies that help you out there. But there are some of the basic good security technologies like containers, virtual machines and BPM networks. With mobile, like I said, it's very important to do effective mobile device management. Something that's wonderfully unique and special about mobile is there are so many ways to use multi-factor authentication because the device has all these wonderful tools associated with it to include voice authentication, visual authentication using facial contour with the camera. There are some folks out there playing with thumbprint or fingerprint authentication. It's got a built-in keyboard and a built-in digital keypad as well so you can do question-an-answer passwords and PINS. Beyond that, there's device identification that you could couple up with user identification and pair those up if you need to do that. You could look at GPS. There's just a myriad of things that we're going to be able to raise the bar with financial services using these devices. That's an opportunity.
Having a Policy
KITTEN: Are there any other areas that touch mobile security that you would like to leave our audience with?
PITTS: I think there are a lot of challenges out there, specifically in the banking industry. I think one of the important things to share with all financial institutions is they should, if they're going to allow employee use of mobile devices as part of their business, have a policy and an agreement with those employees to make sure they have that well-managed and covered by their view of best practices. Basically, those practices and the security levels with the access, functionality and all those things that go with it should be a factor of the institution's needs, their risk tolerance and the technologies they have chosen to enable their BYOD mobile program.