Mobile devices are widely used by employees of banks for good reason. They facilitate efficiency and productivity by allowing employees to work and communicate on the go; however, there is always a catch. The downside of authorizing work-related mobile devices is their use can potentially result in the loss of sensitive bank-owned data. Mobile devices provide attackers with additional points of entry into the bank’s systems and points of origin to execute phishing or social engineering schemes.
Many bank employees access their work email accounts through their mobile devices. The mobile device itself is usually protected by a PIN code, but the device’s email exchange is generally configured with a saved username and password. This configuration potentially exposes confidential information that is accessible in the bank’s email system. It also invites phishing or social engineering schemes that originate from an actual employee’s email address or text message. The success rate of these schemes greatly increases when the source is an authentic account. Data stored in core banking systems is also at risk if employees access these systems from their mobile devices.
Banks are increasingly using two-factor authentication to protect systems that contain sensitive data. The common method for two-factor authentication requires a user to obtain a token key generated by an app on his or her mobile device and then use that key in combination with a username and password. A misappropriated mobile device may provide an attacker with an opportunity to beat two-factor authentication defenses.
Bank regulators have taken notice of the risks associated with mobile devices. As a result, they have issued guidance recommending that banks identify risks related to mobile devices and maintain controls to mitigate those risks. For example, the Federal Financial Institution Examination Council (FFIEC) has released a suite of booklets as part of its comprehensive Information Technology Examination Handbook, which provides participating examiners with in-depth guidance for assessing or auditing the security risks to a financial institution’s information systems and their implementation of information security programs, business continuity programs and overall risk management programs. These booklets also provide financial institutions with valuable insight into information security policies that they may be expected to implement to mitigate the risk of threats, including those associated with mobile devices. For example, FFIEC’s Information Security booklet provides that:
- Management should…establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices…;
- Management should implement automated patch management systems and software to ensure all network components (virtual machines, routers, switches, mobile devices, firewalls, etc.) are appropriately updated; and
- Management should have policies explaining that employees should not and are not authorized to use unsanctioned or unapproved IT resources (e.g., online storage devices, unapproved mobile device applications, and unapproved devices).
- Banks should understand the risks associated with work-related mobile devices, and in turn, adopt policies and procedures to mitigate those risks. The purpose of this article is to provide banks with a baseline set of policies related to both employee and employer-owned mobile devices.
Policies that should be implemented or agreed to by employees, contractors, or any other person authorized by a bank to access its systems
Banks should implement the following policies to prevent the loss of confidential information through breached work-related mobile devices:
- All information obtained through the bank’s systems and all messages generated on or handled by the bank’s electronic communications systems, including back-up copies, is the property of the bank. As a result, the bank reserves the right to review email, text messages, browser history, and information downloaded from the Internet, or any other source, using any of the bank’s communication or network systems.
- Employees who access the bank’s information systems using a mobile device, whether at or within the bank’s facilities or by means of direct access or remote log in, must obtain advance permission from the appropriate officer and/or the bank’s IT Department. The bank reserves the right to remove access at any time.
- Employees using mobile devices and related software for network and data access shall, without exception, use secure data management procedures. All mobile devices must be protected by fingerprint recognition where available. In the event a PIN number is necessary, the PIN shall consist of at least six alphanumeric characters using a combination of numbers, case-sensitive letters, and special characters. The idle time before the mobile device triggers the entry of a PIN or fingerprint recognition must be set to 60 seconds or less. Employees must never disclose their passwords or PIN numbers to anyone.
- All users of mobile devices must employ reasonable physical security measures. Users are expected to secure all such devices used for this activity whether or not they are actually in use and/or being carried. This includes, but is not limited to, passwords, encryption, and physical control of such devices, such as locking them in a drawer when unattended, whenever they contain or can access the bank’s data.
- Employees shall make no modifications of any kind to bank-owned and installed hardware or software without the approval of the bank’s IT Department. This includes, but is not limited to, any reconfiguration of the mobile device. Employees shall not download any applications that are prohibited by the bank’s IT Department.
- The bank has the authority to remotely wipe data on mobile devices, including personal devices, used to access the bank’s systems. Remote wiping is necessary if the device is stolen, lost, or if the user is terminated (or, in some circumstances, suspended), or in other situations that the bank deems appropriate. The bank shall not be responsible for loss or damage of personal applications or data resulting from the use of company applications or remote wiping.
- At termination of employment, all bank-related confidential or sensitive information in any mobile device, whether company or personally owned, shall be copied and returned to the bank and then deleted or destroyed from the mobile device. The bank reserves the right to inspect such device(s) and any related storage media for the purpose of ensuring compliance with this requirement.
Policies that should be implemented by the bank’s staff
Those responsible for issuing or permitting the use of any work-related mobile devices should ensure that the following policies are complied with before and after issuing such equipment or permitting such access to employees:
- Ensure that remote wipe software (MDM) is installed on any mobile devices prior to using the devices for work-related purposes.
- Upon resignation or termination of employment, bank-owned mobile devices shall be reset to factory defaults using the remote wipe software.
- Ensure that adequate cyber-risk insurance cover is provided for mobile devices issued by the bank for use in the United States and abroad.
- Ensure that suitable virus scanning software is present and current on any mobile device authorized to access the bank’s system(s).
- Supply suitable network connections and ensure that access procedures are applied if the mobile device is to be connected to a bank network.
- Ensure that adequate storage capacity is available on authorized or issued mobile device to support business processing.
- Ensure that adequate backup and restore facilities and procedures are in place.
- Ensure that compatible versions of application software are in place.
- Ensure that software encryption and/or physical locking devices are in place.
- Ensure that adequate records of the equipment are maintained, and that the issue is authorized and receipted.
- Ensure that authorization for use of the mobile device is received.
The preceding policies are not exhaustive and may not be suitable for your bank. There is no silver bullet to prevent mobile device intrusions. Banks, however, should incorporate mobile device-related polices into their Information Security Policies. They should also develop and maintain procedures that are regularly updated as mobile device-related threats evolve. And most importantly, banks should train and educate their employees on the risks associated with mobile devices and how to prevent or mitigate intrusions.
Even if a bank is proactive, hackers may stay ahead of defenses, and intrusions will occur. Success from a legal standpoint is often obtainable when a bank can demonstrate that it implemented reasonable data security practices and made a good faith effort to identify risks and protect data. Plus, if a bank forces the attackers to lift a finger, there is a decent chance they will pass over that bank and breach someone else instead.
Fob James is an attorney in Burr & Forman LLP’s Birmingham office, where he practices in the firm’s Cybersecurity and General Commercial Litigation practice groups.