Analyst firm Ovum predicts Bring Your Own Device (BYOD) is “here to stay,” noting that nearly 70% of employees use their tablets or phones to access corporate data, with 15.4% of them doing so without IT’s knowledge and nearly 21% in spite of established policy. IT at banking institutions should accept that BYOD is not simply a passing fad or an issue with just a handful of uncooperative employees. While there is certainly a strong demand for BYOD and banking industry firms are gradually accepting it, these companies are not always testing their networks to find the potential security problems that can come with BYOD.
BYOD does bring significant benefits, not just risks. It reduces equipment costs, can improve productivity and response times, and encourages employees to be more engaged with their work. According to research from audit, tax, and advisory firm Grant Thornton, more than 90% of senior executives and directors at the nation’s largest banks mark cyber security as their top concern. Given this concern, IT management should be doing more to protect their networks through testing.
According to data from Longitude Research, the costs of loss of customer trust resulting from a cyberattack on a bank are nearly double the amount of any monetary damages incurred. Banks are naturally seen as bedrocks of security, so a breach becomes a branding nightmare and a legitimate cause for customer concern. An attack that shuts down a bank’s network can be crippling, with cost-per-minute downtimes reaching into the millions of dollars. Even if the network is simply slowed by malicious traffic, the effects can be very detrimental to banking and finance firms.
Instituting a complete ban on BYOD is not likely to succeed, because the work/life barrier has shifted, and people will simply find workarounds in order to use their own devices. Remote wiping is obviously not okay when it comes to personal devices. IT staff also does not have enough time to check everyone’s devices (especially in bank branches where there might not be on-site IT). Employees might also engage in “jailbreaking” their devices so they can effectively hide their activities and work around corporate policy. Even with stringent protocols in place, employees will still use their devices, or services such as DropBox or iCloud to store documents.
Holes open quickly
With BYOD, breaches can happen quickly. Consider that an infected personal phone or tablet can jump defenses that might protect your corporate WAN link, but are easily defeated as soon as the device logs onto the corporate WiFi. IF IT does have good control of BYOD policy enforcement, they can still be thwarted by just one user that doesn’t perform a manual update or patch to an application, thereby opening up a security hole.
Testing is vital
Considering the risks and many avenues of potential breaches, proactive monitoring of the risks is crucial to protecting the network. A bank’s various network security components should be tested with large volumes of realistic traffic in order to best simulate breach attempts and needle-in-a-haystack scenarios. Advanced test solutions can produce traffic that represents millions of users and many different types of applications, which is vital given the increasing number of BYOD users.
Testing should be comprehensive and include the latest applications and updated malware definitions to ensure the latest threats are accounted for. Brute-force login attempts are on the rise, and DDoS attacks are increasing in both volume and severity, so testing needs to be robust in order to find these and other attack methods. Continuous testing should be in place to provide visibility to IT, with repeatable test scenarios running frequently so attacks are found as they happen, not days too late.
Banks should develop BYOD policies that allow employees to be productive and mobile while ensuring the network and customer data remains secure. Well constructed policies and in-depth training should complement proactive network testing which can find security holes before they are exploited.
Ankur Chadda is a product marketing manager at Spirent Communications covering the security and applications market. View Full Bio