Wall Street & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security

02:40 PM
Deena Coffman
Deena Coffman
Commentary
50%
50%

6 Security Strategies for Mobile Employees

Six mobility rules for employees moving between offices, meeting customers offsite, and traveling to business functions.

Whether it’s a mobile employee or an executive who travels from time to time, financial institutions must be diligent in providing data security no matter where business happens in this increasingly portable environment. Fortunately, a handful of practical and typically inexpensive solutions are available to mitigate these risks. Here are six suggestions: 

1. Make authentication a priority. Strong passwords -- those needed to access mobile devices as well as the credentials required to access information from them -- are a data protection measure that has been in place for years. But yesterday’s password policy is not strong enough to defend against today’s threats. A strong password policy that requires passwords of at least nine characters and passphrases (instead of passwords) that contain uppercase letters, lowercase letters, numbers, and special characters can slow down the password crackers that are available today. Processing power advances, coupled with the availability of password cracking as an online service, make getting past a traditional password a simple and inexpensive attack for any attacker.

A security policy should mandate that all mobile devices use encryption (and iPhone currently does not have full-device encryption, despite Apple’s claims). They should also use strong passwords as described above, and accounts should lock after 10 unsuccessful attempts, to prevent “brute force” attacks from becoming successful. The security team should receive an alert when an account is locked out, and any accounts that lock where the account owner did not cause the lock should be monitored for subsequent attack activity. Passwords should not be used for more than one account, and they should be changed every six months. Where it is practical, employ a two-factor or at least a two-step authentication. These simple protocols can go a long way toward protecting the organization and its data if a mobile device falls into the wrong hands.

2. Limit where data is stored, and use encryption. In some instances, the data held by a mobile device is more valuable (and more attractive to thieves) than the hardware itself. If you use an iPhone, you do not have the benefit of full-disk encryption, so data on a stolen device can be copied and mined. For devices with full-disk encryption, this is less of an issue. Another security measure gaining in popularity is the use of thin clients and similar software offerings that enable financial institutions to limit the amount of data residing directly on employees’ mobile devices. These platforms allow mobile users to access data through a web portal rather than downloading it onto the device. This way, if a smartphone or tablet goes missing, little if any sensitive data is at risk of exposure.

3. Lock down unauthorized devices quickly. Mobile users should be trained to notify the organization at the first sign a device may be missing. Most mobile device management (MDM) products offer the ability to remotely lock and/or wipe a device so that a thief only gets the device and not the valuable information or network access. Also, train employees to not send information, especially passwords, over public WiFi connections. Attackers will set up a WiFi connection point with a name that looks authentic to entice traveling executives to connect to the WiFi network and then send their account names and passwords through the unsecure network. The traveling employee gets a few minutes or hours of free Internet, but the attacker now has the account credentials of the employee.

[Continue reading on Bank Systems & Technology]

Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio
More Commentary
A Wild Ride Comes to an End
Covering the financial services technology space for the past 15 years has been a thrilling ride with many ups as downs.
The End of an Era: Farewell to an Icon
After more than two decades of writing for Wall Street & Technology, I am leaving the media brand. It's time to reflect on our mutual history and the road ahead.
Beyond Bitcoin: Why Counterparty Has Won Support From Overstock's Chairman
The combined excitement over the currency and the Blockchain has kept the market capitalization above $4 billion for more than a year. This has attracted both imitators and innovators.
Asset Managers Set Sights on Defragmenting Back-Office Data
Defragmenting back-office data and technology will be a top focus for asset managers in 2015.
4 Mobile Security Predictions for 2015
As we look ahead, mobility is the perfect breeding ground for attacks in 2015.
Register for Wall Street & Technology Newsletters
Video