BYOD Bound


Software aids secure use of personal mobile devices in the workplace

By Kathryn Jackson Fallon

Everyone works, and everyone plays. As more people blend their work and leisure activities on the go, more community banks are permitting their employees to use personal mobile devices both while on and off the clock.

“I know a few [community banks] that are completely BYOD, where there are no corporate-issued devices,” says Daniel Turner, an information systems officer at Community First Bank in Boscobel, Wis. “I think you’re going to see a broad range of different solutions being implemented, as each bank is unique in its requirements.”

While encouraging greater staff productivity, however, so-called bring-your-own-device workplace options complicate a bank’s data security efforts. But where there’s a need, eventually software is developed to address it.

More than a dozen special mobile device management (MDM) software systems are filling the breach to allow community banks to safeguard and manage their bank’s data and systems while offering prized BYOD work environments. Such MDM systems centralize the support and the application and content management of personal mobile devices used by a workforce. Their pricing—either purchased with a one-time per-device fee or through a monthly subscription—is generally affordable to community banks.

Community First Bank, a $222 million-asset community bank with 79 employees, selected an MDM system to handle the mix of personal and corporate-issued mobile devices its employees use. The bank gave its officers the option to use either a corporate or personal device for business work, and it pays a stipend to those who use their personal device. The bank reviewed a number of vendors before choosing an MDM system from AirWatch LLC in Atlanta. The software uses encryption, complex security passwords and remotely activated locks for devices.

“Make sure you clearly understand which devices you’re going to allow, because there are a lot of them.”
—Daniel Turner, Community First Bank

MDM systems should have at least dual password protections and encryption for company emails sent from the personal devices of staff members, Turner says. But he says the most important security feature for Community First Bank is an ability to wipe all data remotely from a personal device an employee uses for work.

James Gordon, senior vice president of information technology at $1.5 billion-asset Needham Bank in Needham, Mass., oversees a proliferation of personal smartphones, tablets and other mobile devices that many of the bank’s 175 employees use on the job. The bank uses a system from MobileIron Inc. in Mountain View, Calif.

Gordon stresses the importance of all banks having clear, well-thought-out data security policies concerning personal mobile devices, regardless of whether they allow their employees to use personal devices for work. He also advises thorough risk assessments of BYOD policies. “Make sure that IT can clearly communicate what the business challenges are, with continuing business as usual, and what executive management can expect to see on the cell phone bill.”

Needham Bank’s BYOD policy, for example, spells out that its employees can download various outside-the-bank apps on their personal devices, but no customer data should be loaded into any outside apps. “Make sure you clearly understand which devices you’re going to allow, because there are a lot of them,” Community First Bank’s Turner adds. “Especially when you get into the Android market, there are so many and it can get very confusing very quickly, and sometimes your MDM won’t work with them.”

Gordon and Turner also recommend that community banks check that an MDM system passes muster with third-party technology audits, and whether a system supports multiple personal mobile device platforms.

Regardless, the BYOD trend affects all community banks, regardless of whether they adopt an official policy on whether their employees can use personal devices for work, points out Raj Patel, information technology consultant partner with Plante Moran LLP in Southfield, Mich. That’s because community bank employees already are bringing various personal mobile devices to work, he says.

“My advice would be to perform a risk assessment first,” Turner advises. “You really need to understand the risks and you need to put in as many mitigating factors for those risks until you’re comfortable with the exposure, and make sure that you have the appropriate policies and user agreements [in place].”

He adds, “Make sure they have some teeth in them.”

Kathryn Jackson Fallon is a writer in New York.