Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Deena Coffman
Deena Coffman

6 Security Strategies for Mobile Employees

Though customer relations are often built around face-to-face interactions and in-branch service, much of the activity in today's financial institutions involves employees who are moving between different office locations, meeting customers offsite, and traveling to business functions

Whether it’s a mobile employee or an executive who travels from time to time, financial institutions must be diligent in providing data security no matter where business happens in this increasingly portable environment. Fortunately, a handful of practical and typically inexpensive solutions are available to mitigate these risks. Here are six suggestions: 

1. Make authentication a priority. Strong passwords -- those needed to access mobile devices as well as the credentials required to access information from them -- are a data protection measure that has been in place for years. But yesterday’s password policy is not strong enough to defend against today’s threats. A strong password policy that requires passwords of at least nine characters and passphrases (instead of passwords) that contain uppercase letters, lowercase letters, numbers, and special characters can slow down the password crackers that are available today. Processing power advances, coupled with the availability of password cracking as an online service, make getting past a traditional password a simple and inexpensive attack for any attacker.

A security policy should mandate that all mobile devices use encryption (and iPhone currently does not have full-device encryption, despite Apple’s claims). They should also use strong passwords as described above, and accounts should lock after 10 unsuccessful attempts, to prevent “brute force” attacks from becoming successful. The security team should receive an alert when an account is locked out, and any accounts that lock where the account owner did not cause the lock should be monitored for subsequent attack activity. Passwords should not be used for more than one account, and they should be changed every six months. Where it is practical, employ a two-factor or at least a two-step authentication. These simple protocols can go a long way toward protecting the organization and its data if a mobile device falls into the wrong hands.

2. Limit where data is stored, and use encryption. In some instances, the data held by a mobile device is more valuable (and more attractive to thieves) than the hardware itself. If you use an iPhone, you do not have the benefit of full-disk encryption, so data on a stolen device can be copied and mined. For devices with full-disk encryption, this is less of an issue. Another security measure gaining in popularity is the use of thin clients and similar software offerings that enable financial institutions to limit the amount of data residing directly on employees’ mobile devices. These platforms allow mobile users to access data through a web portal rather than downloading it onto the device. This way, if a smartphone or tablet goes missing, little if any sensitive data is at risk of exposure.

3. Lock down unauthorized devices quickly. Mobile users should be trained to notify the organization at the first sign a device may be missing. Most mobile device management (MDM) products offer the ability to remotely lock and/or wipe a device so that a thief only gets the device and not the valuable information or network access. Also, train employees to not send information, especially passwords, over public WiFi connections. Attackers will set up a WiFi connection point with a name that looks authentic to entice traveling executives to connect to the WiFi network and then send their account names and passwords through the unsecure network. The traveling employee gets a few minutes or hours of free Internet, but the attacker now has the account credentials of the employee. 

4. Train employees to spot suspicious connections, websites, and links. Much in the way email once carried the bulk of malicious attachments and links in what is called “phishing,” a similar tactic is used against mobile devices. An SMS message is sent with a message enticing the person to click on the link that then infects the mobile device. Similarly, Facebook Likes may be infected, and companies that issue mobile devices and allow employees to use the Facebook app on the company device are exposed. Train employees to avoid clicking on hyperlinks in Twitter or Facebook Likes that are associated with pop culture, current events, celebrities, musicians, etc. Sadly, attackers even use charitable causes to entice the empathetic to click Like and become infected. 

5. Beware of other applications that mine data for advertising. Even “legitimate” applications are indiscriminately capturing data on the device and using it for marketing or “research” purposes. It is common for free services, such as Google and Facebook, to make billions in revenue from the data they capture. This is so profitable that they do not need revenues from licensing their applications or charging subscription fees. The FTC has worked to provide some consumer protection, but historically the application developers have widely captured for use any information they can. Most will at least provide notice in the privacy policy, but this is rarely if ever actually read because it is lengthy and densely worded, using legal terms of art not easily interpreted by the general public. The risk to your financial institution is that an employee will allow a seemingly innocuous application that will then attach to your company data. 

6. Don’t forget antivirus. Antivirus protection is essential on a mobile device, as much as, if not more than, on your computer or laptop. Attackers are tuned to the growth of mobile devices along with the lack of security for both the devices and applications built on the devices. Remember to also monitor your antivirus status to know that it is receiving updates and still running. Some malware is built to first deactivate the antivirus protections. An out-of-date device report can alert you to problems quickly. Antivirus isn’t a “set it and forget it” function. IT should report to the head of security the status of antivirus for all severs, computers, and mobile devices.

Join the Women in Technology Panel & Luncheon at Interop on Wednesday, Oct. 1. How different are IT career paths and opportunities for men and women in 2014? Join your peers for an open forum discussing how to advance in an IT organization, keep your skills sharp, and build a mentoring network.

Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio

Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.