Security

11:00 AM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

BYOD Policy: Don't Reinvent the Wheel

Financial firms still feel overwhelmed by BYOD risks and challenges. But these can be addressed by a good policy, and the guidelines are already out there.

"I am unusual in the security community because I’m pro BYOD,” says Michele Chubirka, network security engineer and blogger on information security trends for Packet Pushers. “Mostly because I think it's inevitable. You're arguing with reality. The concept of pervasive or ubiquitous computing is here. The revolution is over, we won.”

Unfortunately, most financial IT departments haven't figured that out yet. Many companies that would call themselves progressive in adopting BYOD are still not supporting Android devices. “I feel I've gone back in time. It's like there's something about BYOD and mobility that sends them into paralysis.”

Chubirka spent 13 years working in academia, which she calls the original BYOD environment. “You had to make this stuff work. There is no argument. The students come in every year, and you needed to be ready for the September surprise. You don't know what new device or operating system or hardware they’re coming with, perhaps it’s a drive that doesn’t connect to the network. So you learn to adapt.”

[Join the Women in Technology Panel & Luncheon at Interop on Wednesday, October 1. How different are IT career paths and opportunities for men and women in 2014? Join your peers for an open forum discussing how to advance in an IT organization, keep your skills sharp, and build a mentoring network].

Consider the concept of the extended mind, she says. This is where you identify with the tools you use to complete a task. Tablets and smartphones are tools of cognition now, and what students or employees prefer to use. To forbid the tool and then hand them another phone doesn't seem very efficient or likely to succeed.

“This is a misunderstanding of what technology really means, and what it's come to mean in the 21st-century. It's gotten beyond. It's transparent now. It's in everything. We have smart TVs and refrigerators and bathtubs, everything is connected to the network and yet with BYOD we continue to be held immobilized by lore and the risks. You're not doing your organizations any favors.”

Don't reinvent the wheel
Chubirka, who will speak about BYOD on the Mobility track at Interop New York, said firms don't really know where to start with BYOD. The problem is technologists jump right into the technology but they don't really know what to do because there's no policy. “They spin and spin and spin, because they didn't work out all the other stuff on the front end.”

Worse, the policy guys don't really understand BYOD and there's nobody in the middle translating. “That's where I see a lot of organizations fail.“

Her advice: Start with policies and procedures and guidelines, and don't reinvent the wheel. “Get the stakeholders in the room and get an agreement on policies and procedures. And yes, every, department defines policies and procedures differently, but don’t argue, just do it the way they want.”  

And there’s simply no need to start from scratch. Pay homage to what others have already done. Academia is a great place to start because they have these census driven organizations, and post their policies and procedures publicly because all their students are everywhere and they need to get to them. The National Institute of Standards and Technology (NIST) has great guidelines, and Gartner and Corporate Executive Board has great templates as well. 

She adds that one often overlooked yet critical component of BYOD is data classification. “Written into the policy is who is allowed to touch what, when are certain controls supposed to be at rest, when is it supposed to be encrypted in transit. Figure out your data type, like drivers license and Social Security numbers, ID numbers is conjunction with an email address, etc. Figure out what you have and how you're going to protect it. And that tells you how you're going to do BYOD with your policies.”

“Know the class of data and handling of that data type,” says Chubirka. “Build a framework so when someone tries to put certain data on a certain device, you know what kind of controls have to be in place. Once all that is done, now you can touch the technology.”

Chubirka acknowledges that to technologists this background work can seem boring, but it needs to get out of the way before they can get to the fun stuff.

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
8/27/2014 | 12:03:05 PM
Is financial services any different?
One thing we constantly hear from financial services compliance experts is that banks struggle with BYOD because of all of the extra regulatory/compliance rules that banks face. But a good BYOD policy (even a template adapted from another company or industry), should be able to address the specific needs of banks, right?

Companies in other industries also face privacy laws and oversight from other regulators.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/27/2014 | 12:29:18 PM
Re: Is financial services any different?
I would argue that financial services is different since so much confidential information is flowing through the firm, and there are regulatory consequences to breaching data security. Following policies and procedures from other industries or standards from NIST sounds like a prudent way to move forward. Controlling a refrigerator with a smart phone is cool, but wiring money from a bank account that ends up in the wrong place, can be a problem.
Becca L
50%
50%
Becca L,
User Rank: Author
8/27/2014 | 1:42:03 PM
Re: Is financial services any different?
Healthcare may also have similar concers given the rules around patient documents, but I agree FS is unique in their concerns. It would be bad news indeed if the wave of new smart devices were not accounted for in BYOD protocols , leaving accounts open to the wrong hands.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/27/2014 | 4:55:39 PM
Re: Is financial services any different?
Beyond just having a good policy in place, there has to be safeguards for a potential breach no matter what. Even if a company restricts employees access to the company's networks as much as possible (good luck with that), at some point some hacker will find a way into the organizations IT environenment. The key is to have the back end monitoring and segmentation of different parts of the network that will limit any breach. I'd want to make sure that was all in place regardless of BYOD.
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/28/2014 | 9:50:48 AM
Re: Is financial services any different?
Good point, a strong BYOD policy is just one component of what should be an extensive security strategy. Even firms without a mobile policy (though they should have one) should take the necessary steps to protect against attacks throughout the organization. 
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/28/2014 | 11:54:30 AM
Re: Is financial services any different?
If a breach does occur, companies also need an incident response plan that takes into account who they should call and whether this escalates to reporting to a regulator.  Frameworks, policies, limitations are all important, but preparing for an actual incident is also vital.
KBurger
50%
50%
KBurger,
User Rank: Author
8/28/2014 | 1:07:33 PM
Re: Is financial services any different?
If you think about it, financial services really could define the best practices and set the agenda for policies around BYOD, exactly because of the unique challenges and regulatory requirements. If FS can figure this out (or at least address it consistently and somewhat effectively), then any business, regulated or not, should be able to. Yet another opportunity to lead and set the agenda, if they so choose.
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/28/2014 | 1:31:25 PM
Re: Is financial services any different?
True, by establishing consistent policies around BYOD, financial firms can do more than protect their own information - they could also serve as a model for companies in other industries. 
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 9:57:09 AM
Re: Is financial services any different?
Given that the JPMorgan breach apparently happened as a result of a phishing attack against an employee, I wonder how that might affect the conversation around BYOD at banks going forward. Shows how one false move by an employee can undo hundreds of millions in security investment.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 10:02:46 AM
Re: Is financial services any different?
It became much more vital after the news about the hacks against banks this week. If hackers could burrow deep into JPMorgan's network as quickly as the early reports indicate then every bank needs to have a repsonse plan in place like you say, and needs to be abel to enact that plan very quickly.
Page 1 / 2   >   >>
More Commentary
Chief Data Officers: Organization Strategy & Cultural Change
Chief data officers are new to the financial services C-suite, but they are facing a number of challenges, including the need for new data governance and execution strategies, staffing, and new organizational structures to enable cultural change.
New York FinTech Innovation Lab Calls for New Entrepreneurial Applicants
Wells Fargo joins 14 other major financial institutions providing mentoring and guidance to the six chosen startups.
Micro Data Challenges in an Era of Macroprudential Regulation
Research and statistical analysis experts at central banks are tasked with developing sophisticated forecasts and models to identify systemic risk. Yet they are spending most of their time acting as data entry clerks, rather than developing these models.
The Perks of 'SmartSourcing' Shared Services in Financial Industry
A breadth of vital but undifferentiated business processes are still being replicated across the industry. They are all candidates for centralization.
Managing Social Media Risk Strategy: Technology Can Only Go So Far
Advanced analytical technologies are an important part of a social media risk management strategy, an Accenture report says, but the technology must be balanced with training and procedures.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video