A Compliance Officer’s Role in Mitigating This Risk
Mobile computing presents a unique set of challenges to compliance officers. Our devices are truly omnichannel and not just dedicated to one aspect of our lives. No organization can be fully compliant with data protection regulations when its staff carry personal devices with sensitive information on them; many of these devices are likely to be stolen or compromised at some point.
Mobile computing presents unique challenges to compliance officers in banking – challenges that may not be fully understood, in part because of the high number of factors involved and their potential for complex interaction. Factors including multiple devices being used for both work and personal reasons; mixed use of corporate, private and public networks; and known vulnerabilities in mobile software and hardware. A full list of all potential risks would be the product of all possible interactions of the factors. Compliance officers have a big role to play in considering and dealing with the human, process and technological aspects of these risks and their mitigations.
People increasingly expect to be using their own devices for work – from connecting to corporate networks, systems and services via VPNs from home desktops and laptops to loading work email accounts onto personal smartphones to accessing other forms of work collaboration such as instant messaging, VOIP, portals, blogs, wikis, groupware, etc. from multiple devices, including tablets and wearables. The boundaries between work and personal are not just blurred, nor have they evaporated; instead, they are irrelevant.
Ubiquitous mobile computing is here at last and here to stay. Our devices are truly omnichannel and not just dedicated to one segment (channel) of our lives. Cloud computing increases mobility and the pervasiveness of work in our lives. Can any organisation that has private, confidential, or sensitive information attached to emails on personal phones, tablets, or laptops carried outside of the workplace claim to be fully compliant when over 20 percent of all mobile phones manufactured will be lost or stolen at some point?
Though email attachments on phones are a massive source of noncompliance (typically thousands of devices in a bank may be breaching the data protection laws of the home country because of the content and ease of access of email attachments), they are not the only source. Temporary and cached files on mobile devices are also a risk, as they can contain data that should be protected, such as VPN channels, network addresses and log-in information. This is an example of a risk that is not commonly understood and is therefore often left with little or no mitigation.
A further risk comes from known security vulnerabilities in mobile apps installed on phones, including social media, blogs, etc. App vulnerabilities can provide easy access for malware, which can then spread into the corporate network (which is the point of much malware). So bad is the issue of insecure apps that any institution holding client data should consider issuing a regular list to staff of apps that are a concern currently (new versions may remedy problems quickly, so no need to damn an app forever). Issuing watch lists and asking for care and common sense is arguably a better approach than banning certain apps. Trusting people to do the right thing when given the right information and who are working in the right culture has to be the preferred model. Let’s face it: they were hired because they were regarded as responsible enough to be working in banking and financial services in the first place.
Another constant vulnerability in mobile computing is the possible loss of hardware. Owners of mobile devices (personal and corporate) should never underestimate the importance of basic security features such as password protection, two-factor authentication, encryption and the ability to wipe or lock devices remotely if lost.
As well as the vulnerabilities listed above, network security in mobile computing should be a concern for all compliance officers. Most public Wi-Fi hotspots are unencrypted, so anyone within range can eavesdrop on any data you send and receive (e.g., emails with attachments containing client data (which are sent all day every day in financial institutions)). In many major cities, hotel Wi-Fi networks are being scanned remotely and constantly from adjacent buildings by criminals intent on perpetuating identity theft from guests buying goods and services. Ditto train stations in all the major cities of the world. Rather than stealing the senders’ data, criminals are even happier to steal your clients’ data, as those data are typically sent in tranches. That is one of the reasons encryption is so important in email and other corporate systems; your employer and your clients are less exposed if you are sent something confidential while on a public Wi-Fi such as a hotspot.
Formal bring-your-own-device (BYOD) models and policies – which are common in many industries including banking – appear to be a nice approach to mitigating risk. In theory, they allow the flexibility and increased efficiency that organisations and their workers desire while mitigating risk through policies that address the specific risks of mobile computing. But in reality, they suffer from the same “shelfware” fate of most IT usage policies. Even if said policies are read and understood (e.g., modern compliance IT packages can force personnel to read policies and test their understanding at the end), they are often breached (knowingly or unknowingly) due to custom, practice and lax cultures. What most BYOD and IT compliance models lack is policing and consequences – perhaps because it is understood (but not spoken) that the most senior people are the most likely to be holding sensitive information on their devices while living busy lives with lots of travel that puts the device and the information being stored/shared at the greatest risk of being stolen. No one wants to be in a position of disciplining their CEO through loss of data arising from breach of policies because they’ve disciplined less senior staff for the same offence. Culture rather than technology is the biggest barrier to regulatory compliance generally, and especially in mobile computing. All organisations need their CEO to stand up and say how important good practice is in this field – and for them to say it loud and often. It cannot be left to compliance officers or the IT department alone. Senior people reporting themselves for breaches and telling colleagues what they did wrong (often by accident) is another great example of leadership that can change the organisation mindset for the better.
Another good practice is to treat IT usage policies for mobile computing (including BYOD) as platforms for continuous improvement – both in knowledge and practice and in culture (a culture where it is safe to say to a peer or someone more senior, “I don’t think you should be doing that” is a good culture). One U.K. banking group is to be congratulated for having a culture where anyone seen showing disrespect for another person can be corrected by anyone of any seniority without consequences for the person bringing the poor behaviour to the attention of the transgressor. Such a policy applied to mobile computing and data protection in banks would be very powerful. And that is what is required to ensure regulatory compliance breaches from mobile computing are kept to a minimum – a change of mindset and culture. We can never put the genie back in the bottle where mobile computing is concerned, but we can get much better at using technology safely.
So, what specific steps can organisations take to reduce the risk posed by mobile computing? Culture and leadership is most important, but in terms of processes and technologies, I recommend that compliance officers discuss the following with their colleagues in IT:
MDM (mobile device management). Applications that help with mobile data security, including mobile device inventory, remote configuration, data isolation, remote wiping and rogue app detection and remediation.
DLP (data loss prevention). Applications that protect data through encryption and content monitoring, can block attempts to send confidential information to personal email accounts and can enforce the use of encryption on personal devices.
MAM (mobile application management). Applications that manage delivery and administration of enterprise software to corporate and personal mobile devices; assist with software delivery, software licensing, configuration, application life cycle management and usage tracking; and can also limit how corporate data is shared among mobile apps.
MIM (mobile information management). A security strategy for keeping sensitive data encrypted and allowing only approved applications to access or transmit it.
In conclusion, saying “mobile computing changes everything” would not be an exaggeration. It is possible that we still do not fully understand how profound a change was wrought on work and personal lives by the arrival of the smartphone. What is also true is that banks and other financial services institutions have yet to fully come to grips with the consequences of the change. Dealing with the consequences of mobile computing needs to become an important factor in achieving and maintaining regulatory compliance, especially in regard to protecting private, sensitive and confidential data. In this, compliance officers have an important role to play.