No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

The Many Compliance Challenges of Mobile Computing

by Cliff Moyce
July 31, 2017
in Compliance, Featured
sign reading "wi-fi zone"

A Compliance Officer’s Role in Mitigating This Risk

Mobile computing presents a unique set of challenges to compliance officers. Our devices are truly omnichannel and not just dedicated to one aspect of our lives.  No organization can be fully compliant with data protection regulations when its staff carry personal devices with sensitive information on them; many of these devices are likely to be stolen or compromised at some point.

Mobile computing presents unique challenges to compliance officers in banking – challenges that may not be fully understood, in part because of the high number of factors involved and their potential for complex interaction.  Factors including multiple devices being used for both work and personal reasons; mixed use of corporate, private and public networks; and known vulnerabilities in mobile software and hardware.  A full list of all potential risks would be the product of all possible interactions of the factors.  Compliance officers have a big role to play in considering and dealing with the human, process and technological aspects of these risks and their mitigations.

People increasingly expect to be using their own devices for work – from connecting to corporate networks, systems and services via VPNs from home desktops and laptops to loading work email accounts onto personal smartphones to accessing other forms of work collaboration such as instant messaging, VOIP, portals, blogs, wikis, groupware, etc. from multiple devices, including tablets and wearables. The boundaries between work and personal are not just blurred, nor have they evaporated; instead, they are irrelevant.

Ubiquitous mobile computing is here at last and here to stay.  Our devices are truly omnichannel and not just dedicated to one segment (channel) of our lives.  Cloud computing increases mobility and the pervasiveness of work in our lives. Can any organisation that has private, confidential, or sensitive information attached to emails on personal phones, tablets, or laptops carried outside of the workplace claim to be fully compliant when over 20 percent of all mobile phones manufactured will be lost or stolen at some point?

Though email attachments on phones are a massive source of noncompliance (typically thousands of devices in a bank may be breaching the data protection laws of the home country because of the content and ease of access of email attachments), they are not the only source.  Temporary and cached files on mobile devices are also a risk, as they can contain data that should be protected, such as VPN channels, network addresses and log-in information.  This is an example of a risk that is not commonly understood and is therefore often left with little or no mitigation.

A further risk comes from known security vulnerabilities in mobile apps installed on phones, including social media, blogs, etc.  App vulnerabilities can provide easy access for malware, which can then spread into the corporate network (which is the point of much malware).  So bad is the issue of insecure apps that any institution holding client data should consider issuing a regular list to staff of apps that are a concern currently (new versions may remedy problems quickly, so no need to damn an app forever).  Issuing watch lists and asking for care and common sense is arguably a better approach than banning certain apps.  Trusting people to do the right thing when given the right information and who are working in the right culture has to be the preferred model.  Let’s face it: they were hired because they were regarded as responsible enough to be working in banking and financial services in the first place.

Another constant vulnerability in mobile computing is the possible loss of hardware. Owners of mobile devices (personal and corporate) should never underestimate the importance of basic security features such as password protection, two-factor authentication, encryption and the ability to wipe or lock devices remotely if lost.

As well as the vulnerabilities listed above, network security in mobile computing should be a concern for all compliance officers.  Most public Wi-Fi hotspots are unencrypted, so anyone within range can eavesdrop on any data you send and receive (e.g., emails with attachments containing client data (which are sent all day every day in financial institutions)).  In many major cities, hotel Wi-Fi networks are being scanned remotely and constantly from adjacent buildings by criminals intent on perpetuating identity theft from guests buying goods and services.  Ditto train stations in all the major cities of the world.  Rather than stealing the senders’ data, criminals are even happier to steal your clients’ data, as those data are typically sent in tranches.  That is one of the reasons encryption is so important in email and other corporate systems; your employer and your clients are less exposed if you are sent something confidential while on a public Wi-Fi such as a hotspot.

Formal bring-your-own-device (BYOD) models and policies – which are common in many industries including banking – appear to be a nice approach to mitigating risk.  In theory, they allow the flexibility and increased efficiency that organisations and their workers desire while mitigating risk through policies that address the specific risks of mobile computing.  But in reality, they suffer from the same “shelfware” fate of most IT usage policies.  Even if said policies are read and understood (e.g., modern compliance IT packages can force personnel to read policies and test their understanding at the end), they are often breached (knowingly or unknowingly) due to custom, practice and lax cultures.  What most BYOD and IT compliance models lack is policing and consequences – perhaps because it is understood (but not spoken) that the most senior people are the most likely to be holding sensitive information on their devices while living busy lives with lots of travel that puts the device and the information being stored/shared at the greatest risk of being stolen.  No one wants to be in a position of disciplining their CEO through loss of data arising from breach of policies because they’ve disciplined less senior staff for the same offence.  Culture rather than technology is the biggest barrier to regulatory compliance generally, and especially in mobile computing.  All organisations need their CEO to stand up and say how important good practice is in this field – and for them to say it loud and often. It cannot be left to compliance officers or the IT department alone. Senior people reporting themselves for breaches and telling colleagues what they did wrong (often by accident) is another great example of leadership that can change the organisation mindset for the better.

Another good practice is to treat IT usage policies for mobile computing (including BYOD) as platforms for continuous improvement – both in knowledge and practice and in culture (a culture where it is safe to say to a peer or someone more senior, “I don’t think you should be doing that” is a good culture). One U.K. banking group is to be congratulated for having a culture where anyone seen showing disrespect for another person can be corrected by anyone of any seniority without consequences for the person bringing the poor behaviour to the attention of the transgressor.  Such a policy applied to mobile computing and data protection in banks would be very powerful. And that is what is required to ensure regulatory compliance breaches from mobile computing are kept to a minimum – a change of mindset and culture.  We can never put the genie back in the bottle where mobile computing is concerned, but we can get much better at using technology safely.

So, what specific steps can organisations take to reduce the risk posed by mobile computing?  Culture and leadership is most important, but in terms of processes and technologies, I recommend that compliance officers discuss the following with their colleagues in IT:

MDM (mobile device management). Applications that help with mobile data security, including mobile device inventory, remote configuration, data isolation, remote wiping and rogue app detection and remediation.

DLP (data loss prevention). Applications that protect data through encryption and content monitoring, can block attempts to send confidential information to personal email accounts and can enforce the use of encryption on personal devices.

MAM (mobile application management). Applications that manage delivery and administration of enterprise software to corporate and personal mobile devices; assist with software delivery, software licensing, configuration, application life cycle management and usage tracking; and can also limit how corporate data is shared among mobile apps.

MIM (mobile information management). A security strategy for keeping sensitive data encrypted and allowing only approved applications to access or transmit it.

In conclusion, saying “mobile computing changes everything” would not be an exaggeration.  It is possible that we still do not fully understand how profound a change was wrought on work and personal lives by the arrival of the smartphone.  What is also true is that banks and other financial services institutions have yet to fully come to grips with the consequences of the change. Dealing with the consequences of mobile computing needs to become an important factor in achieving and maintaining regulatory compliance, especially in regard to protecting private, sensitive and confidential data. In this, compliance officers have an important role to play.


Tags: BankingBYOD/Bring Your Own DeviceCloud Compliance
Previous Post

Cyber Insurance Critical in Protecting Against Cybercrime

Next Post

Regtech Comes to the Fore in Compliance Solutions

Cliff Moyce

Cliff Moyce

Aug 10 - Cliff Moyce headshotCliff Moyce is Head of the Finance Practice at DataArt. Cliff has spent most of his career transforming organizations in financial services and capital markets. Everything from building and launching major new companies to automating trading at Europe’s largest derivatives exchange and setting up a UK private equity company for a large Japanese conglomerate. Prior to joining DataArt, Cliff was COO at Credit Market Analysis, where he led the company through a period of significant change, culminating in its acquisition by McGraw Hill Financial. Cliff is a regular press commentator on topics such as the future of banking, IT security, transforming legacy systems architectures and fintech. He is a Fellow of the Institute of Management Services and holds an M.Sc. in Organisational Psychology from Birkbeck, University of London.

Related Posts

cloud computing security

Cloud Security Isn’t Just on Your Provider; It’s Your Job, Too

by Wolters Kluwer
March 1, 2023

Organizations want to embrace all the benefits the cloud has to offer while still protecting their sensitive data. Engaging a...

NEW Nacha Rule – Third-Party Sender (TPS) Roles and Responsibilities

NEW Nacha Rule – Third-Party Sender (TPS) Roles and Responsibilities

by Aarti Maharaj
February 24, 2023

Recent updates to the Nacha Operating Rules are further clarifying the Roles and Responsibilities of Third-Party Senders (TPSs) who use...

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

by Aarti Maharaj
November 28, 2022

This marcus evans conference will showcase best practices to strengthen third party risk management frameworks, through procurement of new vendors,...

data spillage

Instead of Crying Over Spilled Data, Shore up Your Governance Practices

by Rich Hale
October 12, 2022

The reputational damage and compliance failures that result from a data spillage incident are well-known, and as the volume of...

Next Post
woman using compliance technology from mobile device

Regtech Comes to the Fore in Compliance Solutions

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT