The benefits of BYOD apply to just about every vertical that might adopt it. Any organization can benefit from device and support cost savings and increased employee availability, engagement, and productivity. For enterprises in regulated sectors like financial services, however, things aren't so clear-cut. Compliance concerns and the often heavy penalties and PR consequences of a data breach mean BYOD security issues must be dealt with effectively before a rollout. Here are three ways VARs can help their financial services customers do so.
1. Know what data must be protected
Not all pieces of customer information are equal, and when it comes to data privacy regulations, different types of data require different levels of protection, ranging from that which must never even be stored (for example, sensitive authentication data such as PINs and PIN blocks, per PCI DSS 3.0) to that which can be stored even in unencrypted format (looking at PCI DSS 3.0 again, some such data includes cardholder names and card expiration dates).
Any organization's first step in combating BYOD security issues should be to identify which types of data are likely to cause them and devise a plan to lock that data down. A close examination of the data privacy regulations with which your customers must comply will provide a good starting point for data classification.
2. Know who can access protected data, and from where
Armed with a thorough understanding of what data assets are at stake and what's at risk, customers and their VARs can devise a data access and use policy that solves many of the BYOD security issues holding financial services organizations back.
Developing a data access and use policy for BYOD boils down to answering one simple question: Who can access what data, and from where? Not everyone in an organization needs cardholder or account information, for example, and not everyone in the organization needs to have access to that data outside the office. Here, turning again to relevant data privacy regulations can help build a foundation for a strong BYOD data access policy: regulations such as PCI DSS offer guidelines on data and network access control.
3. Implement the necessary technology for policy enforcement
Now that the organization has put together a list of its data assets and come up with a policy that clarifies how those assets can be accessed and used, and by whom and from where, it's time to look at what technologies can assist in policy enforcement to stop BYOD security issues in their tracks. At the very least, organizations must make use of Network Access Control (NAC) solutions to control which devices can connect to internal networks and network resources, as well as Mobile Device Management (MDM) solutions to validate device configurations and security settings and to enable remote wiping of lost or stolen devices. Organizations should also consider robust user activity monitoring solutions that can generate alerts for anomalous or suspicious activity.
On top of these basic solutions, VARs and the organizations they serve may want to consider more advanced mobile security technologies, such as containerization software that can completely segregate personal and corporate applications and data on endpoints. Containerization can give the IT department more control over corporate apps and data usage while preserving the privacy of employees' personal applications and data.
BYOD security issues are serious business, as any financial services firm can attest. With the correct policy and security architecture in place, however, even banks and investment firms can enjoy the benefits of the BYOD trend. Are your customers ready? Tell us your thoughts in the comments.