Bracing for BYOD

Control over end user devices, once a given at so many companies, is loosening. Employees insist on being able to use their Apple, Android and BlackBerry devices for work and being able to access all their apps and files however they want to. Along with smartphones, consumers are adopting tablets such as Barnes & Noble Inc.'s Nook, Apple Inc.'s iPad, and Amazon Inc.'s Kindle.

To ride the tide, many banks are starting to craft Bring Your Own Device (BYOD) policies, which establish how employees who use personal devices at work can also access corporate assets.

"We allow just about any kind of device, but we only allow email and connection to the Outlook Exchange server access," says Jim Craig, vice president of marketing for 1st Advantage Federal Credit Union in Newport News, Va.

Like a lot of financial institutions just starting to draw up these policies, the credit union, which has assets of about $530 million and 57,000 members, is starting small.

1st Advantage is first allowing only senior-level executives to use personal devices like the iPad to access corporate assets. In this case, as with its policy governing laptops, users can't store any corporate information on the device, Craig says.

If executives are working from remote locations they must access company servers using the company's virtual private network. While 1st Advantage reimburses them for a portion of their plans, Craig says for security purposes, the credit union may consider policies like setting limits on how much data personal devices can access when they synch with corporate servers.

1st Advantage is also beginning to think about ways to loop in more of its employees, particularly as it launches a mobile banking suite for its customers. In conjunction with that, 1st Advantage sees potential for its representatives to use tablets such as the iPad to service customers in the branches. It's an option that an increasing number of bankers consider to be more interactive with consumers than the traditional method in which customer service representatives share sales brochures and documents with consumers; or turn around to enter information into a computer that's behind the rep on his or her desk.

By using tablets to engage customers, customer service representatives could start taking and processing applications on iPads, for example, Craig says. Reps can both enter data and continue speaking with consumers face-to-face.

Banks can no longer stubbornly resist this trend - the horses have already left the barn, experts say. With nearly 2 billion smartphones projected to be in use globally in the next two years, bank IT departments have no choice but to figure out the best policies for regulating use of personal devices in the workplace.

Much of the demand arises from the C suite, which want the utility, portability and comfort of their own devices.

"Executives themselves want to use personal devices, and you can't say to the CEO you can't get into the system," says Avivah Litan, vice president and distinguished analyst for Gartner Inc.

BlackBerry has long held the lead with smartphones for the business market, and IT departments favored them because they could easily lock the devices down and manage them from a secure server. Now more than 4,000 variations on devices that run on different operating systems are challenging the wit and verve of technology departments.

"The first thing [bank IT departments] need to consider is, do they have the infrastructure to handle this," says Jacob Jegher, a senior analyst with the research firm Celent. "They will need software that will be able to manage multiple devices; it is not just a standard BlackBerry anymore."

A number of companies, understanding the changes, have recently started offering technology that helps alleviate the problem.

The new BlackBerry Enterprise Server, to be released early next year, manages not only the BlackBerry, but also Android and iOS devices.

Similarly, the latest Microsoft Corp. Exchange Server can secure email across the different phone platforms, including wiping lost or stolen phones of their data.

And International Business Machines Corp. announced in November that it would offer what it calls Hosted Mobile Device Security Management service, a technology developed by Juniper Networks Inc. that lets off-site IT administrators wipe devices and manage the installation of antivirus software and passwords for phones that support Android, BlackBerry, iOS, Windows, and Symbian mobile operating systems.

"This is an area where the cloud will potentially create the ability to create a secure gateway which can extend to the mobile user," says Jeff Schmidt, executive global head of business continuity, security and governance for BT Global Services, a unit of BT Group PLC of London. BT consults with some of the top banks globally on things like BYOD policies.

Meanwhile, mobile software offerings from F-Secure Corp., Kaspersky Labs Ltd. and McAfee Inc. all sit on personal devices and can help lock them down, says Ramon Ray, a technology analyst in New York.

But experts say it's a trade-off. Employees may object to having their own smartphones restricted - they may no longer be able to visit social media sites or others they do in their leisure time.

"Just because you build this does not mean the users will come," Jegher says.

And many large financial institutions are wary of such policies altogether. USAA Federal Savings Bank in San Antonio, which is usually one of the most tech-forward financial institutions, forbids the use of personal devices to access corporate assets, though it says it may consider a BYOD policy.

"There are numerous security, human resource and legal issues that need to be addressed when considering implementation of such a policy," a USAA spokeswoman said by email.

Smaller banks are grappling with the corporate-personal divide as well.

"If it is their own device and they are using their own money to pay for the data plan, there are potentially all of these legal issues," says Sam Vallandingham, chief information officer and vice president of the $250 million-asset First State Bank in Barboursville, W.Va.

First State Bank does not let employees use their personal devices to access corporate systems, though it realizes it may have to change the policy soon.

It uses both the BlackBerry Enterprise Server and the most recent Microsoft Exchange Server, both of which can help manage mobile devices of all kinds. Still, it does not plan to open the personal device floodgates without more deliberation.

"The technology is making life easier, but it has increased the risk profile, and we have to manage this to keep our data secure," Vallandingham says.

Discussions with experts about how best to address "bring your own device" yielded these suggestions: Banks have to consider a whole range of educational initiatives around a BYOD policy. These might include clearly communicating to employees that their devices would no longer be exclusively for personal purposes and that for security reasons they might have a range of functions locked down and access to certain websites limited.

IT staff must also be trained about security differences in the different devices and operating systems, and the IT staff will also have to make sure the systems they design can support the different devices the bank accepts.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER