Where is regulated data, such as information about customers, transactions and mergers, most likely to leak out of a bank? Through employees' and customers' mobile devices, according to a survey the Ponemon Institute conducted of 798 U.S. IT and data security practitioners, 18% of whom work in financial services. Emails, transaction logs and other unprotected data on smartphones and tablets can be easily passed along to unauthorized third parties or stolen.
"Regulated data" includes personally identifiable information about customers (e.g. Social Security number, address, login credentials), which is governed by consumer privacy protection rules requiring the information to be encrypted and for customers to be notified of any data breach. Merger data is subject to SEC disclosure rules, which forbid leakage of information about a deal during blackout periods. Payroll and benefits information are another category of regulated data.
Mobile devices are the riskiest vehicles for all such data, according 69% of respondents to the Ponemon survey. Next riskiest is cloud computing infrastructure, at least in the view of 45% of survey respondents. Applications come next, at 33%.
Some of the mobile data risk comes from employees' habits. The study found that at 59% of companies, employees circumvent or disable required security settings on their mobile devices.
On the other side of this coin are employees' privacy concerns over "bring your own device" (the trend of employees using their personal mobile devices for work purposes). About 63% of employees use mobile devices such as laptops, tablets and smartphones to access and use data in the workplace. The more companies try to control this behavior by forcing employees to download mobile device management or security software on their devices, the more employees bristle at having their personal information and photos fall under the scrutiny of their employer.
"It's not clear whether the employer has a right to scan your phone; it's less clear whether or not the company can actually move your private records to a repository," says Larry Ponemon, chairman and founder of the Ponemon Institute. "Privacy issues haven't really been worked out or legislated as yet for employees. I can imagine a situation in which you have a whole bunch of photos, videos, and other things you cherish on your device. Now you lose the device, and IT implements a remote-wipe. That's a privacy issue."
Outside of the U.S., data privacy regulations for employees tend to favor the employer, Ponemon says. "In places like Germany, France, the EU countries, and parts of Asia, employees have dominance over employers in terms of privacy rights," he says. "Europeans are more likely to push back and say we're not going to allow the employer do something that's viewed as private."
Because Americans are accustomed to sharing large amounts of information about themselves over social media, "it's likely the average American employee is not going to push back," Ponemon says.
However, organizations such as the Electronic Frontier Foundation and the American Civil Liberties Union might press companies on this issue, saying it's a violation of human rights or liberty.
A best practice and possible middle ground for protecting data on mobile devices is for a company to audit everything, Ponemon says. A simple scanning tool can keep watch over what employees are doing on their devices and look for policy violations.
Another practice is to use network traffic intelligence that can find red flags, such as an employee logging in from New Jersey in the morning and Moscow in the afternoon.
But in the end, banks may have to give up on the idea of BYOD, Ponemon says.
"In heavily regulated industries like financial services, you want to make sure the employees' endpoints are secure, and that may mean that you have to take a tough stand and tell people they can't use their own device because it's too risky," he says. For one thing, hackers are starting to understand and take advantage of employees' privacy issues and objections to having their company control their personal mobile device.
"We're starting to see in the investment management and brokerage industry a wave of sophisticated attacks it's easier for bad guys to slip into a mobile device, access an account and steal money and resources from that account," he says. "There's evidence that suggests this is happening in part because of employees have access to sensitive or regulated data on insecure devices."