Risky Business: Mobile Devices at Work

By Ken Otsuka

Cell phones and smart phones, tablets and personal digital assistants (PDAs)—just about everyone is using them to stay connected at home, on the road and in the office. Mobile devices in the workplace, especially employees’ own personal devices, introduce security risks to your credit union.

A Little Too Convenient?

Relatively inexpensive, accessible, user friendly and easy to transport, all this convenience is risky for your business. While it’s probably not reasonable or even desirable to prohibit mobile devices at work, the security risks are significant.

Lost or Stolen Devices. One of the most remarkable features of mobile devices—their diminutive size— also makes them easy to steal or lose, rendering data stored on them vulnerable to theft.

Insider Theft. A dishonest employee could easily connect a mobile device to the computer’s USB port to download large amounts of sensitive data to steal or transmit this data via email. This is a growing concern as clever fraudsters increasingly look to insiders as partners in crime.

Intercepted and Decrypted Data. Wi-Fi enabled devices transmitting data over unsecure networks are vulnerable to Man in the Middle attacks, exposing not only the device but also potentially the credit union’s network to hackers.

Viruses. Mobile devices offer fertile ground for hackers looking for broadly used technology with limited security. Acts as seemingly innocuous as downloading apps or ringtones may invite malware into the device and potentially your credit union’s network.

Managing the Risks of Mobile

As mobile device use at work continues to explode, so does your risk. It’s important to examine your credit union’s vulnerabilities and shore up security where needed.

Security Policy. First and foremost, you should develop and maintain a comprehensive IT security policy that addresses mobile devices. This policy should be approved at the board level, and reviewed and signed off on by employees annually.

Encryption. Encrypt sensitive data stored on mobile devices or when these devices are used to transmit sensitive data over the Internet or in emails.

Control and Protect Devices. Require that mobile devices are password protected, locked at all times, and can be wiped clean remotely. Enforce time-out features. Install anti-virus protection on all mobile devices used for credit union business and prohibit downloading applications and/or software without the authorization/assistance from the IT department.

Secure Network Connections. A Secure Socket Layer Virtual Private Network should be established for employees to connect to the network using mobile devices. This protects data transmitted between the network and mobile devices.

Don’t Mix Personal and Business Use. Credit union issued devices are the safest option provided the necessary security features are deployed, but if you do decide to permit business to be conducted on employees’ personal devices, investigate software designed especially for devices used for both purposes. This software allows the business-side of the device to be protected and provides security measures including password protection, encryption, anti-virus protection and remote wipe capabilities.

Finally, even with the best security, the worst can happen. Cyber Risk Hub, offered at no additional cost to CUNA Mutual Group policyholders, provides the services of a data breach coach and other key resources in the event of a breach. Cyber Risk Hub and other data breach resources are available at the Protection Resource Center at www.cunamutual.com.

Ken Otsuka is a Senior Consultant for CUNA Mutual Group’s Risk Management team. Ken can be contacted at 847.612.9653 or at kenneth.otsuka@cunamutual.com.

Strategic Link is the NWCUAs wholly-owned service corporation, providing the Associations member credit unions with exclusive high-quality, competitively-priced products and discounted services. Questions? Contact Sales & Marketing Associate Craig Reed: 206.340.4789, creed@nwcua.org.

Posted in Community Impact, Events, Financial Education.