CUNA Mutual Group’s BYOD policy permits a mix of devices including Apple and Android phones and tablets.
“We stayed out of the device wars and we’re letting users vote for themselves,” says Rick Roy, senior vice president/CIO for CUNA Mutual Group. “Credit unions have the same issues with their employees, and they’re solving that challenge many ways. Some aren’t offering any options because they’re not large enough to support the infrastructure needed to enable those options.”
But Roy says credit unions that have flexible BYOD policies might improve:
While BYOD might sound new, the idea of “business without borders”—as Diebold calls it—isn’t a new concept. Credit unions probably have similar experiences they can use to help shape their BYOD policies, such as cloud computing, laptops, or work-from-home policies.
Employees might not balk at giving employers the ability to remotely wipe their personal devices if something goes wrong, but giving employers the ability to monitor their use is an entirely different matter. Employees are concerned that employers might go too far and track or “stalk” them, according to CIO Magazine.
With mobile device management software, GPS, and triangulation, employers have the ability to track their employees’ whereabouts, even during off hours. Employers could collect personally indentifiable data and monitor device usage.Most employees, as you’d expect, say that would be going too far. In fact, 82% of respondents to a Harris Interactive-Fiberlink poll say the ability to be tracked would be an invasion of privacy. State legislatures are looking into these privacy concerns. And conscientious employers are incorporating provisions into their BYOD polices that protect company assets and employee privacy.
If you have a cloud computing solution, it might not be as hard as you think to hook it up with employee’s mobile devices. Or you might be able to create a BYOD policy by looking at your credit union’s policy governing the use of laptops. “Look at what you’re doing for your laptops and apply that to mobile devices,” says Elkins.
Also, look at your credit union’s policy governing work-from-home arrangements. “If you already have policies in place for a remote workforce, those policies might transfer to BYOD,” Reh says.
Security isn’t optional
After reviewing your existing policy structures, you’ll need to decide on the devices and access levels you’re willing to support, Elkins says. Then, use PINs, passcodes, and encryption to set up a process that lets your credit union secure its data in the event of a problem.
CUNA Mutual uses a common security platform with hard authentication before granting access to its corporate network, and anything related to that network is encrypted. CUNA Mutual also can remotely wipe that information off the employee’s device. Company employees can choose devices, but the company decides on the network.
Roy suggests following these BYOD best practices:
“If you provide the choice of corporate or personal devices and employees can access corporate email and intranet, then employees don’t get a choice in how you protect it,” Roy says. “It’s more important to implement a standard security platform. You can tout choice, but security standards shouldn’t be optional.”
A common feature of BYOD policies is the employer’s ability to remotely wipe data from personal devices. While it’s important for employers to have this capability, they should consider using mobile device management solutions so they don’t delete important family pictures or other important personal data, Elkins says.
Mobile device management solutions provide security, reporting, and management of all devices using your network. Some solutions can partition personal devices, keeping business and personal uses separate. “This way, if you need to wipe an employee’s personal device of sensitive business data, it wipes only the business data and leaves personal data intact,” Elkins says.
Employee education is critical when trying to manage the security aspects of a BYOD workplace, says Michael Ott, manager of governance, risk, and compliance for Diebold. Make sure employees know the risks and vulnerabilities, and have them sign off on it.
Employees also need to know what to do if their personal devices are lost or stolen. The first call should be to the credit union. If employees go to their wireless agents first to turn off their phones, it won’t be possible to wipe the devices of credit union data.
To effectively deliver the security message to employees, Ott suggests you: