COLORADO SPRINGS-As more and more employees bring their mobile devices to work, IT departments are faced with an ever-changing landscape filled with security and encryption pitfalls.
"There is an influx of consumer devices, which is catching IT departments off guard," acknowledged Ent Federal Credit Union's Director of Information Security, Ron Kimball. "Our IT department does all of the device and software research on premise to recommend corporate-approved devices, with approved anti-virus and whole disk encryption software, to insure compliance with our security policies."
Kimball who spoke on the challenge of BYOD: Bring Your Own Device, at the recent CUNA Technology Council Conference, implored that credit unions to have a mobile strategy in place as it pertains to BYOD. But he also conceded that many credit unions do not have the staff or funding for the all-important initiative.
"I have been working in the financial services industry for the last 12 years and understand that managing this type of initiative can be difficult for any organization, especially for those with limited staffing available," said Kimball.
Ent FCU's current corporate BYOD strategy allows only corporate-owned or approved iPhones and iPads for the approximately 150 employees out of 625 who have access to the credit union's network on these devices.
"Blackberry devices are also approved, though only two employees still use these devices and they will likely be phased out," he said. "Android devices typically have more malware issues, being that it is an open platform, so you can encounter more threats. We decided the risk was too great for them to make our list of approved devices today."
Five Steps Forward, Three Steps Back
While Kimball explained that he hoped that an enhanced BYOD platform would be fully rolled out by now, quick-paced technology updates has slowed forward motion. "Every time we take five steps ahead, we end up taking three steps back," he observed.
Ent FCU launched its BYOD program review process one year ago and is currently rolling it out to select users. The rapid change in the mobile market and the number of consumer devices pose significant security challenges for IT departments, explained Kimball. "It might be Windows 8 this week or the new Galaxy s3 the next, so having a solid strategy in place is critical."
In order to address security and encryption issues, Kimball and his team worked with an outside vendor. But that, too, caused problems as the first software program changed the user interface. "Ent FCU evaluated Mobile Device Management software options to help maintain control," said Kimball. "In some cases, the technology was more in line with corporate expectations, but the end-users didn't love it because it changed their experience. With another technology partner, we had to configure the software to our specific needs to allow for the user to interact with the device normally, but this is common and in our testing, users like it and it's working."
In Kimball's opinion, credit unions without a mobile device strategy are behind the mobile computing curve as the way in which sensitive information such as contacts and files are accessed has forever changed.
"These are now end point devices and it's important that IT departments don't lose control of the process and need a management interface," Kimball observed.
Related hurdles can also include allowing access to Wi-Fi and addressing issues such as password expiration dates and for Apple products, such as iPhones, avoiding the need for iTunes to sync with the credit union core system, which is burdensome due to photos and music files that also sync.
As Kimball and his team continue to monitor the beta rollout, he hopes for a first quarter 2013 hard launch. "There are updates to mobile devices and to Mobile Device Management platforms all the time, which requires that our IT department stays one step ahead of the changes. It's a challenging task, but one that's necessary for mobile security success."