Channels

10:30 AM
Deena Coffman
Deena Coffman
Commentary
100%
0%

6 Security Strategies for Mobile Employees

Though customer relations are often built around face-to-face interactions and in-branch service, much of the activity in today's financial institutions involves employees who are moving between different office locations, meeting customers offsite, and traveling to business functions

Whether it’s a mobile employee or an executive who travels from time to time, financial institutions must be diligent in providing data security no matter where business happens in this increasingly portable environment. Fortunately, a handful of practical and typically inexpensive solutions are available to mitigate these risks. Here are six suggestions: 

1. Make authentication a priority. Strong passwords -- those needed to access mobile devices as well as the credentials required to access information from them -- are a data protection measure that has been in place for years. But yesterday’s password policy is not strong enough to defend against today’s threats. A strong password policy that requires passwords of at least nine characters and passphrases (instead of passwords) that contain uppercase letters, lowercase letters, numbers, and special characters can slow down the password crackers that are available today. Processing power advances, coupled with the availability of password cracking as an online service, make getting past a traditional password a simple and inexpensive attack for any attacker.

A security policy should mandate that all mobile devices use encryption (and iPhone currently does not have full-device encryption, despite Apple’s claims). They should also use strong passwords as described above, and accounts should lock after 10 unsuccessful attempts, to prevent “brute force” attacks from becoming successful. The security team should receive an alert when an account is locked out, and any accounts that lock where the account owner did not cause the lock should be monitored for subsequent attack activity. Passwords should not be used for more than one account, and they should be changed every six months. Where it is practical, employ a two-factor or at least a two-step authentication. These simple protocols can go a long way toward protecting the organization and its data if a mobile device falls into the wrong hands.

2. Limit where data is stored, and use encryption. In some instances, the data held by a mobile device is more valuable (and more attractive to thieves) than the hardware itself. If you use an iPhone, you do not have the benefit of full-disk encryption, so data on a stolen device can be copied and mined. For devices with full-disk encryption, this is less of an issue. Another security measure gaining in popularity is the use of thin clients and similar software offerings that enable financial institutions to limit the amount of data residing directly on employees’ mobile devices. These platforms allow mobile users to access data through a web portal rather than downloading it onto the device. This way, if a smartphone or tablet goes missing, little if any sensitive data is at risk of exposure.

3. Lock down unauthorized devices quickly. Mobile users should be trained to notify the organization at the first sign a device may be missing. Most mobile device management (MDM) products offer the ability to remotely lock and/or wipe a device so that a thief only gets the device and not the valuable information or network access. Also, train employees to not send information, especially passwords, over public WiFi connections. Attackers will set up a WiFi connection point with a name that looks authentic to entice traveling executives to connect to the WiFi network and then send their account names and passwords through the unsecure network. The traveling employee gets a few minutes or hours of free Internet, but the attacker now has the account credentials of the employee. 

4. Train employees to spot suspicious connections, websites, and links. Much in the way email once carried the bulk of malicious attachments and links in what is called “phishing,” a similar tactic is used against mobile devices. An SMS message is sent with a message enticing the person to click on the link that then infects the mobile device. Similarly, Facebook Likes may be infected, and companies that issue mobile devices and allow employees to use the Facebook app on the company device are exposed. Train employees to avoid clicking on hyperlinks in Twitter or Facebook Likes that are associated with pop culture, current events, celebrities, musicians, etc. Sadly, attackers even use charitable causes to entice the empathetic to click Like and become infected. 

5. Beware of other applications that mine data for advertising. Even “legitimate” applications are indiscriminately capturing data on the device and using it for marketing or “research” purposes. It is common for free services, such as Google and Facebook, to make billions in revenue from the data they capture. This is so profitable that they do not need revenues from licensing their applications or charging subscription fees. The FTC has worked to provide some consumer protection, but historically the application developers have widely captured for use any information they can. Most will at least provide notice in the privacy policy, but this is rarely if ever actually read because it is lengthy and densely worded, using legal terms of art not easily interpreted by the general public. The risk to your financial institution is that an employee will allow a seemingly innocuous application that will then attach to your company data. 

6. Don’t forget antivirus. Antivirus protection is essential on a mobile device, as much as, if not more than, on your computer or laptop. Attackers are tuned to the growth of mobile devices along with the lack of security for both the devices and applications built on the devices. Remember to also monitor your antivirus status to know that it is receiving updates and still running. Some malware is built to first deactivate the antivirus protections. An out-of-date device report can alert you to problems quickly. Antivirus isn’t a “set it and forget it” function. IT should report to the head of security the status of antivirus for all severs, computers, and mobile devices.

Join the Women in Technology Panel & Luncheon at Interop on Wednesday, Oct. 1. How different are IT career paths and opportunities for men and women in 2014? Join your peers for an open forum discussing how to advance in an IT organization, keep your skills sharp, and build a mentoring network.

Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Byurcan
50%
50%
Byurcan,
User Rank: Author
10/1/2014 | 2:14:49 PM
Re: Lockdown
Yes, or at least tape the phone to his arm or something.
Kelly22
50%
50%
Kelly22,
User Rank: Author
10/1/2014 | 2:13:31 PM
Re: Lockdown
Same here! I understand the security concerns behind reporting missing/broken phones, but it's hard to blame someone who doesn't want to tell their boss that their 4th device is gone. He might want to invest in one of those "lifeproof" cases - expensive but worth it (from what I've heard, anyway). 
Byurcan
50%
50%
Byurcan,
User Rank: Author
10/1/2014 | 9:32:01 AM
Re: Lockdown
Wow, after the second time I would have been too scared to ask my employer for another phone.
Becca L
50%
50%
Becca L,
User Rank: Author
9/30/2014 | 6:05:37 PM
Re: Security on the go
There was a time people didn't expect viruses on macs because hackers only went after Window PCs. The mindset is the same. I notice even a lot of the headlined hacks and data breaches fail to mention or focus on mobile's role.

Also, if I wanted to download antivirus software for my phone right now, I wouldn't know where to turn - I expect that app developers are taking care of this.
Becca L
50%
50%
Becca L,
User Rank: Author
9/30/2014 | 6:02:03 PM
Re: Lockdown
I have a cousin who not too long ago replaced his work phone 4 times in a year. It was left behind on bus, again in a cab, and twice broken. His supervisor was none too pleased, and he took his time telling them about the last missing-phone incident. I can't really blame him for this very human hesitation even while adamently agreeing employees need to call in missing phones asap so they can comply with this lock-down security rule.
Becca L
50%
50%
Becca L,
User Rank: Author
9/30/2014 | 5:58:26 PM
Re: Lockdown
I have never logged onto an unknown wifi, or someone's hotspot - it seems like mobile suicide. I find it hard to believe anyone would take that risk!
Byurcan
50%
50%
Byurcan,
User Rank: Author
9/25/2014 | 12:46:41 PM
Re: Lockdown
Indeed, but yet many people still do
Kelly22
50%
50%
Kelly22,
User Rank: Author
9/25/2014 | 12:42:31 PM
Re: Lockdown
Good point. Also in relation to #3, I think using caution on public wi-fi should go without saying. That's a terrible place to share passwords or other private information. 
Byurcan
50%
50%
Byurcan,
User Rank: Author
9/25/2014 | 12:28:18 PM
Re: Security on the go
Very true, but even in the current day where smartphones are ubiquitous, many people still don't think of them the way they do laptops, OCs etc, and don't think about putting antivirus software on there.
Byurcan
50%
50%
Byurcan,
User Rank: Author
9/25/2014 | 12:27:04 PM
Lockdown
#3 is obviously something that should go without saying, but it's surpirsing how many employees using corporate devices don't realize the seriouses of the physical security of their phone.
Page 1 / 2   >   >>
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.