Financial Institutions have to be particularly careful about allowing data outside of their walls and Needham Bank is no exception. When the BYOD movement began the community bank became an early adopter of enterprise mobility management (EMM) solution MobileIron back in late 2010, to do what many businesses started out with—allow employees to access their email securely from mobile devices.
“We had that baked in for a number of years and then the question became ‘Now what?’” recalls James Gordon, senior vice president of Needham Bank, a community bank with five branches in Massachusetts and $1.4 billion in assets.
The next logical step, he says, was to give employees access to additional content on their iPads, such as PDF files and Excel spreadsheets. The bank added Accellion Kiteworks to its arsenal to encrypt and secure corporate data. Accellion is a provider of secure mobile collaboration and on-premise, private cloud file-sharing solutions.
As BYOD becomes an accepted practice and businesses like Needham Bank allow employees to increase the level of work-related activities from wherever they are, the need to ensure corporate data leaving the firewall is secure is paramount. A 2013 survey conducted by the Ponemon Institute for Acronis revealed that a majority of companies continue to put critical data at risk. Fiftynine percent of enterprises reported having no BYOD policy in place, among a sample group of over 4,300 IT security practitioners in eight countries.
Among those that have policies, 24 percent make exceptions for executives who may handle even more sensitive data, the survey found.
Even basic security precautions are not always enforced. The study found that 31 percent of companies require a device password or key lock on personal devices, and only 21 percent perform remote device wipes when an employee leaves the company.
The survey also revealed that while it’s commonplace to share corporate files through third-party cloud storage products like Dropbox, 67 percent of organizations don’t have a policy in place around public clouds. And 80 percent of respondents said they haven’t trained employees in the proper use of these platforms.
But mobile devices themselves are not inherently more insecure than other devices, stresses Jane Wright, a senior analyst of IT security at Technology Business Research. “It’s about putting the right tools in place for them and they can be made as secure as others devices.”
Early on, companies were limiting employees to accessing email and calendar from their mobile devices and using traditional password and encryption tools found in a mobile device management (MDM) solution, she says. Once they began allowing access to other apps, there was a need for mobile access management (MAM) tools, she says. “They also counted on their firewalls helping when mobile devices came onto the network.”
Now, as users are more frequently remotely accessing business apps, Wright says there is a need for heightened security and advanced threat solutions from vendors such as FireEye and Sourcefire, which was recently acquired by Cisco. What makes them different from MDM tools, she says, is “they analyze what’s going on at the end point and decide if something is suspicious or abnormal, and trigger these advanced protection solutions,” which analyze, block and contain an activity.
Potentially suspicious activities could include whether a device is trying to grab a file off a corporate network from Germany, for example, Wright says.
File Sharing While Protecting Patient Information
Also mindful of the need to protect sensitive data is Comfort Care Services, a UK-based housing and rehab facility for adults with mental illness, learning disabilities and substance misuse. Services are provided at over 57 sites across the UK, so the majority of the 350 employees are geographically dispersed and work remotely.
“We knew we needed a solution that would secure document-centric collaboration in our BYOD environment and keep our mobile workforce productive,” says Gee Bafhtiar, operations director. Most staff members were more comfortable using their own devices for work, he adds. “Early on, we realized that, without having a BYOD in place, the company … would inadvertently promote work-arounds because many users would use consumer-grade file sharing services that didn’t allow for secure, real-time collaboration.” The goal was to give employees what they wanted while retaining full control of the data—how and with whom documents were shared, he says.
Previously, employees used laptops to gather patient information during house visits. They were configured with virtual desktops that didn’t permit document interchange outside of Comfort Care’s VDI network, says Bafhtiar. That function was limited to a few select staff members who “acted as a security filter and gatekeeper for data.” While that has proven effective, management knew it ran the risk of documents being produced outside the company network on personal devices. Additionally, management was also getting feedback from employees that the laptops were “cumbersome, intrusive and intimidating” and often a distraction when they were taking case notes or entering data. Tablets, he says, “are much more direct.”
There are also times when staff needs to share data and reports with government agencies and external healthcare professionals, and the blanket policy preventing data sharing with people outside the network was causing a drop in productivity, Bafhtiar adds.
When Comfort Care decided to allow mobile file sharing and collaboration officials looked at Box and Citrix ShareFile but found neither tools “provided the granular control that we needed at the time,’’ he says. Around four years ago they selected Workshare, a mobile enterprise collaboration application that provides secure document syncing and sharing.
“The granular security functionality… makes it ideal for use in the semi-regulated and regulated sectors,’’ says Bafhtiar. Comfort Care staff are able to ensure their documents are secure both inside and outside the firewall. With Workshare, all transactions are executed from a personal, authenticated user account, he says. Document owners can assign folder-level permissions and managed access and sharing, preventing confidential or sensitive files from being downloaded or passed on to someone without access authorization. They can also get a return receipt and enable time-limited file access. The company also has access to full audit trails.
Now user productivity has improved and the amount of time needed to turn around documents has been reduced by as much as 50 percent, he says. “Another benefit is that staff can provide adequate feedback while on the move.” Previously, when using laptops, staff was restricted to giving feedback only when connected to the internet, Bafhtiar says.
Growth Ahead, Mobile Ready
Needham Bank is experiencing rapid growth and planning to add four branches and about 30 percent more employees to the current 190 it now has. Gordon says they chose kiteworks because it works in tandem with MobileIron and has features such as remote wipe, and the ability to securely share and collaborate on files without letting users print sensitive documents unless they are given permission. Gordon says he also likes the ability to know that a user shared X number of files with someone else on a particular date and what those files were. He says that makes kiteworks “more secure than a laptop.”
The Accellion software is managed on-premises, Gordon says. He explains, due to the high regulations of the banking industry, that “I have to know at all times where my data lives and porting [data] to the cloud is not satisfactory. There are very few assurances you know where your data is and where data exists.”
Employees also have to collaborate with external third parties such as architects and appraisers as they are building new branches, Gordon says. Kiteworks ensures security for the bank’s customers, who often need to communicate and send files to employees.
BYOD is only going to continue to grow, so deploying advanced threat protection tools is the logical next step organizations need to take, observes TBR’s Wright. “This is a gradual evolution as organizations are expanding the ways they’re letting users conduct business from their mobile devices so they’re also expanding protections.”
But unlike PCs, mobile devices don’t typically have the same amount of memory, “so you can’t put a really memory-hungry security control on [them] because users will find their smartphone works slowly.” As vendors design advanced threat protection for mobile devices, she says they have to think about that and how to make the best use of that footprint. “It’s a delicate balance.”
This article was originally published in 2014, though much of the information still applies today.