It's your employees' technology ... but your problem.
No bank official understands that simple truth of today's workplace better than someone like James Gordon, the chief information officer at Needham Bank in Massachusetts, who is trying to cope with a huge influx of smartphones, tablets and other devices that employees are bringing from home and want to use on the job, too.
"Managing [information technology] for 200 employees used to mean supporting 200 computers, 50 printers and 20 servers," Gordon says. "Now, 200 employees means 50 printers and 20 servers but it also means 200 iPads, 200 iPhones and many other devices. It's taking on a world of its own. I often go to sleep at night thinking, how do we even support this?"
Other banks are facing similar challenges, according to a recent Ponemon Institute survey of bank IT and security practitioners. They expect the average number of smartphones used in their companies to grow to 14,000 from 7,430 in a year. And 69% believe smartphones and tablets will replace most desktops and laptops.
A partial answer is mobile device management software that helps track and enforce company policy on employees' devices, particularly for so-called BYOD environments. (Depending on whom you ask, BYOD stands for "bring your own device" or "bring your own disaster.")
MDM software has been available for awhile, but it is being slowly adopted by banks.
Many of these banks once used only BlackBerry products, but the Ponemon study found that 23% of banks are migrating from BlackBerry to a multi-OS mobile environment and 18% plan to do so.
And a recent Forrester survey found that 20% of "mobile decision-makers" at U.S. companies with more than 1,000 employees are so eager to use their own devices that they would be willing to help pay for the opportunity; 11% said they would be willing to pay the entire cost if they could get the smartphone of their choice.
Another driver for MDM software in banking is the Federal Financial Institutions Examination Council's guidelines on cloud computing, which were issued in mid-2012 but are still being digested by many in the industry. The regulators say, among other things, that banks must know where their data is at all times.
At the $1.4 billion-asset Needham Bank, MDM software from MobileIron has helped with regulatory compliance and automatic provisioning. "It gives auditors an increased level of comfort that we know exactly what's going on with that fleet [of devices]," Gordon says. "We can also help users set up devices more rapidly than we would have otherwise."
A recent IT project proved the software's worth, Gordon says. The bank redeployed a wireless network, setting up sub-networks to handle data security and software distribution separately for executives, IT and general users.
"We didn't have to go visit 200 devices," Gordon says. "With a couple of clicks, we were able to deploy that wireless network out to all those devices." And only the network administrator knows the network passwords, an added plus.
Needham was an early adopter of iPhones in 2008 and eagerly accepted security controls as Apple rolled them out. "If you can turn a switch on and it adds security, regulators are going to write you up for not having it," Gordon observes.
But more was needed. "In banking, I knew full well that two or three basic controls would never satisfy regulators, examiners or auditors," he says.
Gordon suggests that any banks that haven't bought an MDM solution are past due. "The regulators have woken up -- they've caught on and they are auditing for that," he says. "The time to buy it to avoid regulatory criticism would have been in 2012."
What to Look For
Kenneth Johnston, who is chief information officer of the $639 million-asset Guaranty Bank in Springfield, Mo., cares first and foremost that an MDM solution supports multiple platforms. Some programs provide strong support for Apple devices and limited or no support for Android and Windows-based devices, he says.
"It is not about putting all of your eggs in one basket, [but] it is all about not having to carry six baskets while trying to gather your eggs," Gordon says.
To suitably manage the growing BYOD environment, a solution should support iOS, Android and Windows operating systems, he says.
One thing Gordon looked for in MDM software was the ability to tell if a device has been "jailbroken" – in other words, whether restrictions set by the manufacturer, operating system provider or telecom provider have been removed. "I wanted to know if somebody had altered the Apple iOS in some way and could then install third-party applications that might not have been vetted by Apple," he says.
He also felt a strong need to monitor the apps employees download to their devices, especially any he doesn't consider "bank appropriate," such as Dropbox, Box or other programs that could be used to leak corporate data. For instance, an employee could open a company's strategic plan in Dropbox and share it with others from there.
The bank has never lost sensitive data through a mobile device, Gordon says. But he's very aware of the FFIEC's guidelines on cloud computing, which emphasize banks' responsibility to protect their own and customers' data.