“It’s because of Compushare’s intimate understanding of the risk management concerns of a financial services organization that they were selcted as a partner.”
Mobile devices are the “go to” device for access to information at our fingertips. And, as platforms and applications continue to mature, tablet devices in particular will provide more than just readily available access to information; they’ll allow for convenient input and data uploading for community bank employees and clients. Snap and upload a picture or HD video, pay some bills, read your favorite newspaper or magazine, or even fill out an application for a new bank account. These are all things that before a couple years ago were done with a visit to your local bank branch, but today are being done with a slew of mobile devices.
Of course, laptops can still be considered mobile devices, but true mobility and its catalyst comes from touch screen tablets and smartphones. These devices are smaller, more accessible, and the interface is not a carryover from the desktop like that seen on laptops, but one designed specifically for the size featuring user-friendly touch screen interaction. Unless you’ve been hiding under a rock, you are likely aware of the explosive growth of iPhones, iPads, Droids, the Kindle Fire, and the others in this space.
To some extent, the potential and opportunities that can be realized by packing so many features into such a simple and convenient tool are just starting to unfold. And, as with all opportunities, so are the risks. In this article, we’ll provide an overview of the opportunities, the risks, and what options are out there to address this brave new mobile device world we’re facing in financial institutions, and especially community banks.
We are just beginning to see the potential with this new medium. Some of the interesting uses related to financial institutions that we’ve seen early on was consumer online banking focused on bill pay and account management. What we can expect in the future are applications that are more business productivity focused for the community bank in the areas of lending, CRM, communications, analytics, and account management. Getting past this first wave of consumer focus to applications that are more business focused is exciting. Just imagine getting lenders and new accounts teams out of the branches and into the communities they serve.
Here are some examples that we are seeing out in the market today as well as some we can expect to see in the near future that showcase a handful of potential opportunities mobile devices can provide.
- Lenders looking up and having access to detailed customer account information seconds before they step into a business meeting.
- Signing up new accounts, up-selling, cross-selling, and otherwise making changes to customer accounts on the spot via a mobile device while sitting onsite at the customer’s office.
- Taking applications and setting up new accounts on an iPad or mobile device at an event.
- Filling out a loan application, running a credit check, and providing pre-approval on the spot anytime and anywhere.
- Pushing out board packets to the board of directors and allowing them to remotely review, annotate, take notes, and even collaborate in advance or during scheduled meetings.
- Easy access to key performance metrics and analytics with the ease and presentation that can only be delivered with a touch pad.
- Implementing trades and analyzing options on the spot through any device, anywhere.
- Voice, video, and real-time collaboration through wireless devices anywhere, at any time.
- All types of online training whether interactive or self-paced.
- Every bank operations manual, operating procedures, and processes all at your fingertips with one device versus the library of books and binders in use today.
The magic with all of these isn't necessarily what is being done; it's how it's being done. The mobility, ease of use, accessibility, and the overall convenience is the magic.
As with any new technology, risk is not far behind. Introducing these new mobile devices into the business environment has the potential to produce more opportunities but unfortunately adds additional risk exposure. Most of these risks are centered on information security with the largest being privacy of customer non-public information. Unauthorized disclosure of information, whether it’s your customer’s personal or business information or your bank's confidential or proprietary information, is a significant threat when bank employees can now access information remotely. The broad connectivity options for access, and the general ease of use are the aspects that not only help propel the popularity, but also open up the biggest challenges when it comes to controlling security. Whether unintentionally left behind in the office or the coffee shop, the mobile device poses a threat by its very nature of being "mobile." The fact that mobile devices are toted around most places we go increases the chances that one will be left behind or outright carried away by a thief. It can be argued that the biggest risk with mobile devices today is in the absence of any management or control of them.The fact that they may be infiltrating your environment, connecting to your email systems, and accessing your files from anywhere without your knowledge is certainly frightening.
What We Can Do
Fortunately we have tools to address most of these risks, although just like with any new technology, the tools we have to manage and secure may be as immature as the platform itself and it's somewhat of a moving target until we can hit that balance of functionality and management. As with many things in technology, the most fundamental tools to start with are the trusty staples in IT Risk Management. Think policies and risk assessments. A simple risk assessment will help define guidelines that will shape the policies addressing mobile devices. This assessment should be focused on clearly identifying the threats, the likelihoods, and the ultimate risks these devices expose. This will help shape what’s allowed, what's not allowed, and give guidelines for those in IT Management and Security to figure out the best ways to control the risks posed by the added functionality of mobile devices. Once the risks are understood and the policies agreed upon, banks need to implement the controls that will ensure policies are adhered to and monitored over time. It's in this area that we will see the most limitations and progress in the future. Below are several key management capabilities broken out into those basic controls that are readily available in popular systems, and then those that are more advanced and dependent on specialty or point solutions.
- Ability to centrally manage settings for selected devices
- Enforce use of complex passwords and actions taken on excessive failed attempts
- Forcing the screen to lock during extended inactivity
- Remotely erasing the mobile device’s applications and data if lost, stolen, or employee terminated
- Ability to restrict which users and devices can access which information
- Restricting by device serial number
- Restricting use of external memory
- Restricting installation of apps
- Restricting use of camera, Bluetooth, Wi-Fi, etc.
- Requiring encryption for network connectivity
- GPS device tracking
- Voice, app, storage, and network usage reporting
- Restrictions on opening and sharing files in apps
- Discretionary erasing of apps, data, and access to business systems (such as email)
This is not a comprehensive list and there are new solutions coming into the market regularly that address new areas, close gaps, and integrate into current systems. You can expect this area to grow rapidly over the coming years as we learn and adapt along the way.
Where to Start
As with many business processes and particularly important with information security controls for community banks, regular testing and monitoring of key program elements is critical to provide any level of assurance that the controls being implemented are effective. Starting with the basic controls will help everybody understand what your bank is "ok" with and what it's not while ensuring your management team is on the same page. Visibility and understanding in this area is key.
It doesn't have to be overly complex. Start with some conversations at the management level. How does your team envision leveraging “BYOD” (bring your own device) mobile devices? Get clarity on how you want to use them and what information needs to be allowed on them. Establish those basic guidelines and then have your IT team research and propose how they plan on meeting your needs at an acceptable level of security. Follow this up with a simple, yet documented risk analysis which highlights the greatest risks to your institution and how you plan to mitigate such risks. Then design a comprehensive policy followed by a detailed process around the controls that will be implemented in support of the policies. After that, you should be well on your way to responsibly leveraging these new and exciting information technology tools.
To help with the process, talk to the professionals at Compushare. They can help you with your research, basic guideline design, security planning, and documenting your risk analysis. To get there even faster, start thinking about a cloud deployment strategy for your community bank. Using mobile devices in the right cloud environment can virtually eliminate mobile device security challenges while allowing access from any device, anytime, anywhere. But most importantly, do something and do it today. Taking those first steps will get things in motion and put you in control versus being caught not paying attention. Stay flexible and update regularly as needs and capabilities change.
Jesse Pike | Client Technology Officer
CISSP, CRISC, CISM, CISA