Whether it’s a mobile employee or an executive who travels from time to time, financial institutions must be diligent in providing data security no matter where business happens in this increasingly portable environment. Fortunately, a handful of practical and typically inexpensive solutions are available to mitigate these risks. Here are six suggestions:
1. Make authentication a priority. Strong passwords -- those needed to access mobile devices as well as the credentials required to access information from them -- are a data protection measure that has been in place for years. But yesterday’s password policy is not strong enough to defend against today’s threats. A strong password policy that requires passwords of at least nine characters and passphrases (instead of passwords) that contain uppercase letters, lowercase letters, numbers, and special characters can slow down the password crackers that are available today. Processing power advances, coupled with the availability of password cracking as an online service, make getting past a traditional password a simple and inexpensive attack for any attacker.
A security policy should mandate that all mobile devices use encryption (and iPhone currently does not have full-device encryption, despite Apple’s claims). They should also use strong passwords as described above, and accounts should lock after 10 unsuccessful attempts, to prevent “brute force” attacks from becoming successful. The security team should receive an alert when an account is locked out, and any accounts that lock where the account owner did not cause the lock should be monitored for subsequent attack activity. Passwords should not be used for more than one account, and they should be changed every six months. Where it is practical, employ a two-factor or at least a two-step authentication. These simple protocols can go a long way toward protecting the organization and its data if a mobile device falls into the wrong hands.
2. Limit where data is stored, and use encryption. In some instances, the data held by a mobile device is more valuable (and more attractive to thieves) than the hardware itself. If you use an iPhone, you do not have the benefit of full-disk encryption, so data on a stolen device can be copied and mined. For devices with full-disk encryption, this is less of an issue. Another security measure gaining in popularity is the use of thin clients and similar software offerings that enable financial institutions to limit the amount of data residing directly on employees’ mobile devices. These platforms allow mobile users to access data through a web portal rather than downloading it onto the device. This way, if a smartphone or tablet goes missing, little if any sensitive data is at risk of exposure.
3. Lock down unauthorized devices quickly. Mobile users should be trained to notify the organization at the first sign a device may be missing. Most mobile device management (MDM) products offer the ability to remotely lock and/or wipe a device so that a thief only gets the device and not the valuable information or network access. Also, train employees to not send information, especially passwords, over public WiFi connections. Attackers will set up a WiFi connection point with a name that looks authentic to entice traveling executives to connect to the WiFi network and then send their account names and passwords through the unsecure network. The traveling employee gets a few minutes or hours of free Internet, but the attacker now has the account credentials of the employee.Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio