Security

11:00 AM
Becca Lipman
Becca Lipman
Commentary
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

BYOD Policy: Don't Reinvent the Wheel

Financial firms still feel overwhelmed by BYOD risks and challenges. But these can be addressed by a good policy, and the guidelines are already out there.

"I am unusual in the security community because I’m pro BYOD,” says Michele Chubirka, network security engineer and blogger on information security trends for Packet Pushers. “Mostly because I think it's inevitable. You're arguing with reality. The concept of pervasive or ubiquitous computing is here. The revolution is over, we won.”

Unfortunately, most financial IT departments haven't figured that out yet. Many companies that would call themselves progressive in adopting BYOD are still not supporting Android devices. “I feel I've gone back in time. It's like there's something about BYOD and mobility that sends them into paralysis.”

Chubirka spent 13 years working in academia, which she calls the original BYOD environment. “You had to make this stuff work. There is no argument. The students come in every year, and you needed to be ready for the September surprise. You don't know what new device or operating system or hardware they’re coming with, perhaps it’s a drive that doesn’t connect to the network. So you learn to adapt.”

[Join the Women in Technology Panel & Luncheon at Interop on Wednesday, October 1. How different are IT career paths and opportunities for men and women in 2014? Join your peers for an open forum discussing how to advance in an IT organization, keep your skills sharp, and build a mentoring network].

Consider the concept of the extended mind, she says. This is where you identify with the tools you use to complete a task. Tablets and smartphones are tools of cognition now, and what students or employees prefer to use. To forbid the tool and then hand them another phone doesn't seem very efficient or likely to succeed.

“This is a misunderstanding of what technology really means, and what it's come to mean in the 21st-century. It's gotten beyond. It's transparent now. It's in everything. We have smart TVs and refrigerators and bathtubs, everything is connected to the network and yet with BYOD we continue to be held immobilized by lore and the risks. You're not doing your organizations any favors.”

Don't reinvent the wheel
Chubirka, who will speak about BYOD on the Mobility track at Interop New York, said firms don't really know where to start with BYOD. The problem is technologists jump right into the technology but they don't really know what to do because there's no policy. “They spin and spin and spin, because they didn't work out all the other stuff on the front end.”

Worse, the policy guys don't really understand BYOD and there's nobody in the middle translating. “That's where I see a lot of organizations fail.“

Her advice: Start with policies and procedures and guidelines, and don't reinvent the wheel. “Get the stakeholders in the room and get an agreement on policies and procedures. And yes, every, department defines policies and procedures differently, but don’t argue, just do it the way they want.”  

And there’s simply no need to start from scratch. Pay homage to what others have already done. Academia is a great place to start because they have these census driven organizations, and post their policies and procedures publicly because all their students are everywhere and they need to get to them. The National Institute of Standards and Technology (NIST) has great guidelines, and Gartner and Corporate Executive Board has great templates as well. 

She adds that one often overlooked yet critical component of BYOD is data classification. “Written into the policy is who is allowed to touch what, when are certain controls supposed to be at rest, when is it supposed to be encrypted in transit. Figure out your data type, like drivers license and Social Security numbers, ID numbers is conjunction with an email address, etc. Figure out what you have and how you're going to protect it. And that tells you how you're going to do BYOD with your policies.”

“Know the class of data and handling of that data type,” says Chubirka. “Build a framework so when someone tries to put certain data on a certain device, you know what kind of controls have to be in place. Once all that is done, now you can touch the technology.”

Chubirka acknowledges that to technologists this background work can seem boring, but it needs to get out of the way before they can get to the fun stuff.

Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
8/27/2014 | 12:03:05 PM
Is financial services any different?
One thing we constantly hear from financial services compliance experts is that banks struggle with BYOD because of all of the extra regulatory/compliance rules that banks face. But a good BYOD policy (even a template adapted from another company or industry), should be able to address the specific needs of banks, right?

Companies in other industries also face privacy laws and oversight from other regulators.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/27/2014 | 12:29:18 PM
Re: Is financial services any different?
I would argue that financial services is different since so much confidential information is flowing through the firm, and there are regulatory consequences to breaching data security. Following policies and procedures from other industries or standards from NIST sounds like a prudent way to move forward. Controlling a refrigerator with a smart phone is cool, but wiring money from a bank account that ends up in the wrong place, can be a problem.
Becca L
50%
50%
Becca L,
User Rank: Author
8/27/2014 | 1:42:03 PM
Re: Is financial services any different?
Healthcare may also have similar concers given the rules around patient documents, but I agree FS is unique in their concerns. It would be bad news indeed if the wave of new smart devices were not accounted for in BYOD protocols , leaving accounts open to the wrong hands.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/27/2014 | 4:55:39 PM
Re: Is financial services any different?
Beyond just having a good policy in place, there has to be safeguards for a potential breach no matter what. Even if a company restricts employees access to the company's networks as much as possible (good luck with that), at some point some hacker will find a way into the organizations IT environenment. The key is to have the back end monitoring and segmentation of different parts of the network that will limit any breach. I'd want to make sure that was all in place regardless of BYOD.
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/28/2014 | 9:50:48 AM
Re: Is financial services any different?
Good point, a strong BYOD policy is just one component of what should be an extensive security strategy. Even firms without a mobile policy (though they should have one) should take the necessary steps to protect against attacks throughout the organization. 
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/28/2014 | 11:54:30 AM
Re: Is financial services any different?
If a breach does occur, companies also need an incident response plan that takes into account who they should call and whether this escalates to reporting to a regulator.  Frameworks, policies, limitations are all important, but preparing for an actual incident is also vital.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 10:02:46 AM
Re: Is financial services any different?
It became much more vital after the news about the hacks against banks this week. If hackers could burrow deep into JPMorgan's network as quickly as the early reports indicate then every bank needs to have a repsonse plan in place like you say, and needs to be abel to enact that plan very quickly.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/29/2014 | 10:25:15 AM
Re: Is financial services any different?
Banks, brokers, hedge funds, etc., need to be in a position to act quickly if a data breach occurrs, especially if customer data is breached.  I heard that cyber criminals typically take the passwords they've stolen and carve them into 100 chunks and then quickly resell them on the black market. So financial institutions need to have a plan in place to act upon any intrustion or breach they suspect has occurred rather than wait for days or weeks to report it.
KBurger
50%
50%
KBurger,
User Rank: Author
8/28/2014 | 1:07:33 PM
Re: Is financial services any different?
If you think about it, financial services really could define the best practices and set the agenda for policies around BYOD, exactly because of the unique challenges and regulatory requirements. If FS can figure this out (or at least address it consistently and somewhat effectively), then any business, regulated or not, should be able to. Yet another opportunity to lead and set the agenda, if they so choose.
Kelly22
50%
50%
Kelly22,
User Rank: Author
8/28/2014 | 1:31:25 PM
Re: Is financial services any different?
True, by establishing consistent policies around BYOD, financial firms can do more than protect their own information - they could also serve as a model for companies in other industries. 
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
8/29/2014 | 9:57:09 AM
Re: Is financial services any different?
Given that the JPMorgan breach apparently happened as a result of a phishing attack against an employee, I wonder how that might affect the conversation around BYOD at banks going forward. Shows how one false move by an employee can undo hundreds of millions in security investment.
Becca L
50%
50%
Becca L,
User Rank: Author
8/30/2014 | 7:25:51 PM
Re: Is financial services any different?
It paints a rather hopeless picture, I agree. But to avoid building any BYOD policy in today's tech ubiquitous world is a nail in the company coffin. Have conversations, but also make real steps to implement BYOD. Michele rightly argues this is not to be avoided, despite the risks.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
8/30/2014 | 10:31:03 PM
Re: Is financial services any different?
BYOD has its risks but clearly it's become the norm and employees wouldn't want to work at companies that don't permit them to use their own devices. Companies are finding ways to mitgage the risks, though the threat of hackers trying to trick employees with phishing schemes and other shenanigans still exists.
Becca L
50%
50%
Becca L,
User Rank: Author
8/31/2014 | 1:28:20 PM
Re: Is financial services any different?
A friend's father worked at a place where employees had to leave their cell phones in the car before entering their office (financial services firm). They ran out at lunch to check personal emails and texts. That's no way to work, and no way for companies to attract good talent. As they say, "There has to be a better way"
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
9/2/2014 | 9:15:37 AM
Re: Is financial services any different?
True....policies and technology safeguards are only part of the plan. In most cases, it seems, the user is the one who is the cause of a security breach. As with JPM, it was an employee and a phishing attack. JPM has a policy, but the employee didn't follow the policy, it seems.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
9/2/2014 | 11:31:21 AM
Re: Is financial services any different?
Employees in financial services should be more savvy. It's hard to know what happened unless and until there are more disclosures.
NJ_trader
50%
50%
NJ_trader,
User Rank: Moderator
9/3/2014 | 6:25:22 AM
Re: Is financial services any different?
It's hard to know exactly what happened, but phishing is getting more sophisticated. Yes, most users know that the random email promising millions of dollars from a royal family member from somewhere in Africa is a hoax, but increasingly, phishing attacks are coming from what seem like legitimate sources.
More Commentary
SEC Examinations: What to Expect When the SEC Is on It's Way
Theodore Eichenlaub highlights trends in SEC expectations and how to approach a risk assessment of your compliance program.
The Value of Predictive Analytics in Financial Services
Risk management and customer data are two key areas where data analytics is being applied in financial services.
Moving the Trader Closer to the Investment Process
The sell side can demonstrate more value by applying analytics to pre- and post-trading, and by educating buy-side clients about broker segmentation, trading behavior and algorithm shortcomings, and more.
Wirehouses May See More Independent BDs as Retention Packages Expire
Retention bonuses are expiring, leaving brokerages vulnerable to attrition. Is access to technology making it easier for brokers to go independent?
SCI: A Whale of a Regulation
The SEC's Reg SCI weights in at a whopping 742 pages. Here is what you need to know about the oversized regulation.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8, October 2014
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video