Security

11:00 AM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

BYOD Policy: Don't Reinvent the Wheel

Financial firms still feel overwhelmed by BYOD risks and challenges. But these can be addressed by a good policy, and the guidelines are already out there.

"I am unusual in the security community because I’m pro BYOD,” says Michele Chubirka, network security engineer and blogger on information security trends for Packet Pushers. “Mostly because I think it's inevitable. You're arguing with reality. The concept of pervasive or ubiquitous computing is here. The revolution is over, we won.”

Unfortunately, most financial IT departments haven't figured that out yet. Many companies that would call themselves progressive in adopting BYOD are still not supporting Android devices. “I feel I've gone back in time. It's like there's something about BYOD and mobility that sends them into paralysis.”

Chubirka spent 13 years working in academia, which she calls the original BYOD environment. “You had to make this stuff work. There is no argument. The students come in every year, and you needed to be ready for the September surprise. You don't know what new device or operating system or hardware they’re coming with, perhaps it’s a drive that doesn’t connect to the network. So you learn to adapt.”

[Join the Women in Technology Panel & Luncheon at Interop on Wednesday, October 1. How different are IT career paths and opportunities for men and women in 2014? Join your peers for an open forum discussing how to advance in an IT organization, keep your skills sharp, and build a mentoring network].

Consider the concept of the extended mind, she says. This is where you identify with the tools you use to complete a task. Tablets and smartphones are tools of cognition now, and what students or employees prefer to use. To forbid the tool and then hand them another phone doesn't seem very efficient or likely to succeed.

“This is a misunderstanding of what technology really means, and what it's come to mean in the 21st-century. It's gotten beyond. It's transparent now. It's in everything. We have smart TVs and refrigerators and bathtubs, everything is connected to the network and yet with BYOD we continue to be held immobilized by lore and the risks. You're not doing your organizations any favors.”

Don't reinvent the wheel
Chubirka, who will speak about BYOD on the Mobility track at Interop New York, said firms don't really know where to start with BYOD. The problem is technologists jump right into the technology but they don't really know what to do because there's no policy. “They spin and spin and spin, because they didn't work out all the other stuff on the front end.”

Worse, the policy guys don't really understand BYOD and there's nobody in the middle translating. “That's where I see a lot of organizations fail.“

Her advice: Start with policies and procedures and guidelines, and don't reinvent the wheel. “Get the stakeholders in the room and get an agreement on policies and procedures. And yes, every, department defines policies and procedures differently, but don’t argue, just do it the way they want.”  

And there’s simply no need to start from scratch. Pay homage to what others have already done. Academia is a great place to start because they have these census driven organizations, and post their policies and procedures publicly because all their students are everywhere and they need to get to them. The National Institute of Standards and Technology (NIST) has great guidelines, and Gartner and Corporate Executive Board has great templates as well. 

She adds that one often overlooked yet critical component of BYOD is data classification. “Written into the policy is who is allowed to touch what, when are certain controls supposed to be at rest, when is it supposed to be encrypted in transit. Figure out your data type, like drivers license and Social Security numbers, ID numbers is conjunction with an email address, etc. Figure out what you have and how you're going to protect it. And that tells you how you're going to do BYOD with your policies.”

“Know the class of data and handling of that data type,” says Chubirka. “Build a framework so when someone tries to put certain data on a certain device, you know what kind of controls have to be in place. Once all that is done, now you can touch the technology.”

Chubirka acknowledges that to technologists this background work can seem boring, but it needs to get out of the way before they can get to the fun stuff.

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
8/27/2014 | 12:03:05 PM
Is financial services any different?
One thing we constantly hear from financial services compliance experts is that banks struggle with BYOD because of all of the extra regulatory/compliance rules that banks face. But a good BYOD policy (even a template adapted from another company or industry), should be able to address the specific needs of banks, right?

Companies in other industries also face privacy laws and oversight from other regulators.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/27/2014 | 12:29:18 PM
Re: Is financial services any different?
I would argue that financial services is different since so much confidential information is flowing through the firm, and there are regulatory consequences to breaching data security. Following policies and procedures from other industries or standards from NIST sounds like a prudent way to move forward. Controlling a refrigerator with a smart phone is cool, but wiring money from a bank account that ends up in the wrong place, can be a problem.
Becca L
50%
50%
Becca L,
User Rank: Author
8/27/2014 | 1:42:03 PM
Re: Is financial services any different?
Healthcare may also have similar concers given the rules around patient documents, but I agree FS is unique in their concerns. It would be bad news indeed if the wave of new smart devices were not accounted for in BYOD protocols , leaving accounts open to the wrong hands.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/27/2014 | 4:55:39 PM
Re: Is financial services any different?
Beyond just having a good policy in place, there has to be safeguards for a potential breach no matter what. Even if a company restricts employees access to the company's networks as much as possible (good luck with that), at some point some hacker will find a way into the organizations IT environenment. The key is to have the back end monitoring and segmentation of different parts of the network that will limit any breach. I'd want to make sure that was all in place regardless of BYOD.
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/28/2014 | 9:50:48 AM
Re: Is financial services any different?
Good point, a strong BYOD policy is just one component of what should be an extensive security strategy. Even firms without a mobile policy (though they should have one) should take the necessary steps to protect against attacks throughout the organization. 
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/28/2014 | 11:54:30 AM
Re: Is financial services any different?
If a breach does occur, companies also need an incident response plan that takes into account who they should call and whether this escalates to reporting to a regulator.  Frameworks, policies, limitations are all important, but preparing for an actual incident is also vital.
KBurger
50%
50%
KBurger,
User Rank: Author
8/28/2014 | 1:07:33 PM
Re: Is financial services any different?
If you think about it, financial services really could define the best practices and set the agenda for policies around BYOD, exactly because of the unique challenges and regulatory requirements. If FS can figure this out (or at least address it consistently and somewhat effectively), then any business, regulated or not, should be able to. Yet another opportunity to lead and set the agenda, if they so choose.
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/28/2014 | 1:31:25 PM
Re: Is financial services any different?
True, by establishing consistent policies around BYOD, financial firms can do more than protect their own information - they could also serve as a model for companies in other industries. 
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 9:57:09 AM
Re: Is financial services any different?
Given that the JPMorgan breach apparently happened as a result of a phishing attack against an employee, I wonder how that might affect the conversation around BYOD at banks going forward. Shows how one false move by an employee can undo hundreds of millions in security investment.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 10:02:46 AM
Re: Is financial services any different?
It became much more vital after the news about the hacks against banks this week. If hackers could burrow deep into JPMorgan's network as quickly as the early reports indicate then every bank needs to have a repsonse plan in place like you say, and needs to be abel to enact that plan very quickly.
Page 1 / 2   >   >>
More Commentary
Wall Street CIOs Have a Vendor Management Problem
If Wall Street CIOs want to stay ahead of competition and ensure high-speed trading software doesn't start the next flash crash, they need better insight into vendor delivered software.
Technology Innovation Returns to Financial Services
Capital Markets Outlook 2015: Following a few years dominated by regulatory compliance and cost saving technology initiatives, financial organizations are finally investing in innovative technology and tools.
Voice Biometrics Improve Transaction Monitoring Fraud Detection
Why voice biometrics should be a part of your fraud prevention strategy in the call center.
Fintech Fast Forward 2015
What will shape the future of Fintech in 2015 and beyond?
Look Deeper at Business Connections
When a business person or practice crosses the line, what should a professional do?
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video