Security

11:00 AM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

BYOD Policy: Don't Reinvent the Wheel

Financial firms still feel overwhelmed by BYOD risks and challenges. But these can be addressed by a good policy, and the guidelines are already out there.

"I am unusual in the security community because I’m pro BYOD,” says Michele Chubirka, network security engineer and blogger on information security trends for Packet Pushers. “Mostly because I think it's inevitable. You're arguing with reality. The concept of pervasive or ubiquitous computing is here. The revolution is over, we won.”

Unfortunately, most financial IT departments haven't figured that out yet. Many companies that would call themselves progressive in adopting BYOD are still not supporting Android devices. “I feel I've gone back in time. It's like there's something about BYOD and mobility that sends them into paralysis.”

Chubirka spent 13 years working in academia, which she calls the original BYOD environment. “You had to make this stuff work. There is no argument. The students come in every year, and you needed to be ready for the September surprise. You don't know what new device or operating system or hardware they’re coming with, perhaps it’s a drive that doesn’t connect to the network. So you learn to adapt.”

[Join the Women in Technology Panel & Luncheon at Interop on Wednesday, October 1. How different are IT career paths and opportunities for men and women in 2014? Join your peers for an open forum discussing how to advance in an IT organization, keep your skills sharp, and build a mentoring network].

Consider the concept of the extended mind, she says. This is where you identify with the tools you use to complete a task. Tablets and smartphones are tools of cognition now, and what students or employees prefer to use. To forbid the tool and then hand them another phone doesn't seem very efficient or likely to succeed.

“This is a misunderstanding of what technology really means, and what it's come to mean in the 21st-century. It's gotten beyond. It's transparent now. It's in everything. We have smart TVs and refrigerators and bathtubs, everything is connected to the network and yet with BYOD we continue to be held immobilized by lore and the risks. You're not doing your organizations any favors.”

Don't reinvent the wheel
Chubirka, who will speak about BYOD on the Mobility track at Interop New York, said firms don't really know where to start with BYOD. The problem is technologists jump right into the technology but they don't really know what to do because there's no policy. “They spin and spin and spin, because they didn't work out all the other stuff on the front end.”

Worse, the policy guys don't really understand BYOD and there's nobody in the middle translating. “That's where I see a lot of organizations fail.“

Her advice: Start with policies and procedures and guidelines, and don't reinvent the wheel. “Get the stakeholders in the room and get an agreement on policies and procedures. And yes, every, department defines policies and procedures differently, but don’t argue, just do it the way they want.”  

And there’s simply no need to start from scratch. Pay homage to what others have already done. Academia is a great place to start because they have these census driven organizations, and post their policies and procedures publicly because all their students are everywhere and they need to get to them. The National Institute of Standards and Technology (NIST) has great guidelines, and Gartner and Corporate Executive Board has great templates as well. 

She adds that one often overlooked yet critical component of BYOD is data classification. “Written into the policy is who is allowed to touch what, when are certain controls supposed to be at rest, when is it supposed to be encrypted in transit. Figure out your data type, like drivers license and Social Security numbers, ID numbers is conjunction with an email address, etc. Figure out what you have and how you're going to protect it. And that tells you how you're going to do BYOD with your policies.”

“Know the class of data and handling of that data type,” says Chubirka. “Build a framework so when someone tries to put certain data on a certain device, you know what kind of controls have to be in place. Once all that is done, now you can touch the technology.”

Chubirka acknowledges that to technologists this background work can seem boring, but it needs to get out of the way before they can get to the fun stuff.

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
NJ_trader
50%
50%
NJ_trader,
User Rank: Moderator
9/3/2014 | 6:25:22 AM
Re: Is financial services any different?
It's hard to know exactly what happened, but phishing is getting more sophisticated. Yes, most users know that the random email promising millions of dollars from a royal family member from somewhere in Africa is a hoax, but increasingly, phishing attacks are coming from what seem like legitimate sources.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
9/2/2014 | 11:31:21 AM
Re: Is financial services any different?
Employees in financial services should be more savvy. It's hard to know what happened unless and until there are more disclosures.
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
9/2/2014 | 9:15:37 AM
Re: Is financial services any different?
True....policies and technology safeguards are only part of the plan. In most cases, it seems, the user is the one who is the cause of a security breach. As with JPM, it was an employee and a phishing attack. JPM has a policy, but the employee didn't follow the policy, it seems.
Becca L
50%
50%
Becca L,
User Rank: Author
8/31/2014 | 1:28:20 PM
Re: Is financial services any different?
A friend's father worked at a place where employees had to leave their cell phones in the car before entering their office (financial services firm). They ran out at lunch to check personal emails and texts. That's no way to work, and no way for companies to attract good talent. As they say, "There has to be a better way"
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/30/2014 | 10:31:03 PM
Re: Is financial services any different?
BYOD has its risks but clearly it's become the norm and employees wouldn't want to work at companies that don't permit them to use their own devices. Companies are finding ways to mitgage the risks, though the threat of hackers trying to trick employees with phishing schemes and other shenanigans still exists.
Becca L
50%
50%
Becca L,
User Rank: Author
8/30/2014 | 7:25:51 PM
Re: Is financial services any different?
It paints a rather hopeless picture, I agree. But to avoid building any BYOD policy in today's tech ubiquitous world is a nail in the company coffin. Have conversations, but also make real steps to implement BYOD. Michele rightly argues this is not to be avoided, despite the risks.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/29/2014 | 10:25:15 AM
Re: Is financial services any different?
Banks, brokers, hedge funds, etc., need to be in a position to act quickly if a data breach occurrs, especially if customer data is breached.  I heard that cyber criminals typically take the passwords they've stolen and carve them into 100 chunks and then quickly resell them on the black market. So financial institutions need to have a plan in place to act upon any intrustion or breach they suspect has occurred rather than wait for days or weeks to report it.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 10:02:46 AM
Re: Is financial services any different?
It became much more vital after the news about the hacks against banks this week. If hackers could burrow deep into JPMorgan's network as quickly as the early reports indicate then every bank needs to have a repsonse plan in place like you say, and needs to be abel to enact that plan very quickly.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 9:57:09 AM
Re: Is financial services any different?
Given that the JPMorgan breach apparently happened as a result of a phishing attack against an employee, I wonder how that might affect the conversation around BYOD at banks going forward. Shows how one false move by an employee can undo hundreds of millions in security investment.
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/28/2014 | 1:31:25 PM
Re: Is financial services any different?
True, by establishing consistent policies around BYOD, financial firms can do more than protect their own information - they could also serve as a model for companies in other industries. 
Page 1 / 2   >   >>
More Commentary
The New Race to Zero
The low-latency trading race is almost over, but the in-memory analytics race is just beginning.
The Bankerless Bank
Regulatory upheaval has distracted banks from developing innovative technology. When will banks return their focus to building technology for competitive advantage?
4 Factors Driving Enlightenment & Big-Data Adoption in Regulatory Compliance
Whether seeking to maintain compliance or to drive business value, emerging technologies can unleash tremendous potential.
The Art of Leveraging Governance, Risk & Compliance Technology Tools
Eliminating compliance risk across information channels is a constantly transforming task. Ongoing auditing and auto-corrective technology can increase trust, accountability, and transparency.
The FSB's Swaps Data Aggregation Report, a Technical Review
The Report discusses legal, technological, and regulatory issues to be resolved in order to obtain a complete view of swap transactions around the world.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video