CHICAGO – More than 80 percent of financial services respondents say their organization’s use of handheld devices had increased over the past two years, producing a growing security risk.
The survey reflects the concerns of survey respondents. Some 87 percent say they are concerned about the security of e-mail access to corporate server-based accounts and of remote access to corporate networks, and 85 percent say that access to Web-based e-mail had become a significant security concern.
As to specific wireless security concerns, more than 60 percent say their top-ranked worries are viruses or attacks on the corporate network, and the security of data during transmission over wireless or cellular networks. Loss or theft of wireless devices ranked third, with about 50 percent of financial services executives indicating a concern, despite recent high-profile cases of lost laptops with sensitive customer data.
“A year ago, the chief security concerns revolved around the potential loss or theft of smart phones and wireless devices, but the results of the [survey] clearly paint a very different … story,” says Mark Komisky, CEO of Bluefire Security. “As enterprises increasingly are using wireless devices to create and transmit new data and to access the most sensitive information sitting on their corporate servers, the risks are much greater.”
Analysts agree that the mobile device security challenge is a formidable one, and that many institutions have a long way to go.
Bob Egan, director of emerging technologies at TowerGroup, says that in general, the industry is backward from where it needs to go. Throughout the financial services industry, executives are stepping back into the future, acting as if mobile device access is an extension to their existing remote access policies (e.g. working from a home office PC). But smart phones and PDAs offer significant new variables on a number of fronts, given their ubiquity, storage capacity and ability to tap the Web.
“It’s a bit of a scary world,” says Bill Clark, a research vice president at Gartner. “There’s not much you have to do to take a PDA or smart phone for personal use and sync it up with a network. There are tens of millions of unprotected mobile devices out there.”
Brian Mitchell, vice president of technology controls for the investment bank at JPMorgan, says that mobile devices pose two broad challenges. The first is that, by nature, the enterprise does not have physical control of the devices as with PCs, making it a challenge to check and update configurations and software. “In the field, anything can happen, through loss, theft or the employee making changes,” he says.
The second challenge, Mitchell says, is the employee’s relationship with the device. Even if the bank owns the device, employees tend to take a more personal ownership of their phone, PDA or laptop than their office PC, “and so they may choose do things with the device that they wouldn’t do with a desktop PC, such as downloading software, which can harbor viruses or malware. Since it’s not always connected to the network, our control over it is limited.”
Given this, it’s probably not surprising that about half of banks “have been hesitant to implement wireless support-given their conservative nature,” says Jacob Jegher, a senior analyst with Celent.
Take for instance Julie McLacken, IT security officer at First American Bank/Alabama National, who says simply, “we haven’t opened up that can of worms.” And Kirk Drake, vice president of technology at NIH Federal Credit Union, says that the bank permits wireless access on-site to the Internet, but it does not allow wireless access to the corporate network. “I don’t think the risk/reward is anything we’ll want to mess with anytime soon,” he says. “Wireless devices on the network just invite more regulatory scrutiny around security.” Both FIs use PortAuthority to monitor wireline data-leak prevention.
But barring mobile access is untenable in the long term, says Jegher, who opines that “in a couple of years, banks won’t have a choice-that’ll be the trend over the next five years. You’ll need a wireless policy in place. Eventually mobile- device security will catch up with you and you’ll have to integrate it. It’ll become part of your life.” Komisky says a bank client with 250,000 employees has recently gone through this evolution, at first wanting to prevent any wireless access to the network, Now, however, it’s opening its corporate e-mail to wireless devices.
Still, Drake’s concern about drawing unwanted regulatory scrutiny is well taken. Richard Gibbons, a former SEC/NYSE regulator now with QUMAS, a compliance-solution vendor, says the SEC is clearly watching wireless communications in the financial services industry intently, on guard that institutions do not permit the kind of loose information and disinformation that would have a deleterious impact on the integrity of the industry and the welfare of investors.
Adds Gibbons, “It’s a daunting task and a big issue for financial institutions,” particularly in material misstatements and omissions of facts when dealing with retail customers. “You can’t be with employees all the time, so you have to train them and hope they do the right thing all the time.?
The task is complicated by the SEC disinclination to get too specific when it comes to framing misbehavior and solutions. “Regulators do tend to be less than forthcoming,” says Gibbons. “We used to have a saying, ‘The more you endorse, the less you can enforce.’ But it behooves you to have rigorous policies and procedures in place, since regulators will cite control weaknesses with the same vehemence as actual violations.”
In other words the security around mobile devices is not just a competitive issue – i.e., not wanting to lose data to competitors, malicious insiders or hackers; it’s also a compliance issue, since mobile devices constitute a communication between financial institutions and their partners and customers. Despite the significance of the problem, analysts also say it’s not surprising that many IT groups are just getting around to addressing it. “With all the compliance issues and investment IT has made in having a customer view, they haven’t really approached the problem of the laptop, except to say, ‘I’m going to encrypt it,'” says Egan.
So what are some of the possible solutions? And what’s wrong with simply encrypting data on laptops? As Adrian Lane, CTO of IPLocks, a database security vendor, puts it: “The number of ways for information to leave an organization is mind-boggling-there’s almost no way to combat it. But the data has no value if it can’t be accessed.”
There’s no question that encryption can be a good way to protect data, but it can make it very difficult to use the data quickly and efficiently by authorized users. The main problem, analysts say, is that encryption relies on the user having a keycard at the ready, which can be lost, and encryption can make it awkward and time consuming to access discrete pieces of data in a very large database. For instance, a mobile worker in a bank’s investment arm might just need three or four data points on a particular company to execute a trade in hurry. The need to download and unencrypt a large data base would slow down the process and could result in lost business.
Banks that are committed to mobile access for their workers are turning to virtual private networks (VPNs) that encrypt the whole session. While there are split and non-split VPNs, most banks, including JPMorgan, choose non-split VPNs to prevent an open channel between the corporate network and the wider Internet. What’s more, VPNs can scan the device for trouble each time it hooks to the VPN, in case the employee has downloaded malware from the Internet. “The moment someone connects to the VPN we can scan for spyware,” says Mitchell. “We can automatically do a push to the devi
