CUs Search for Balance on BYOD

Employees pressure IT departments to adopt 'bring your own device' policies.

August 5, 2014

Mobile devices are ubiquitous in the workplace, but there are many different types of devices. Look around your credit union and you’ll see everything from Apple to Android and smartphones to tablets. It’s also likely that employees, not your credit union, own many, if not most, of these devices.

And these credit union employees are using their own personal devices in their credit unions, too. They’re bringing them to work, connecting to the Wi-Fi, checking email, and doing both personal and credit union work. In response, credit unions are scrambling to create policies governing the use of these personal devices. These policies are known as BYOD (bring your own device) policies.

More than 80% of employees responding to a Harris Interactive poll say they use personal electronic devices for work-related functions, but 66% of those who use personal devices for work say their employers haven’t implemented policies governing their use.

“It’s happening whether you want it to or not,” says Ryan Elkins, senior manager of information security for Diebold, a CUNA Strategic Services alliance provider . “We see employees coming in every day with the latest devices. It’s not a question of whether or not employees are going to do it, but it’s a question of how you’re going to handle it.”

Technology experts call this trend the consumerization of information technology (IT) because employees (the consumer in this case) are heavily influencing employers’ IT decisions. Part of this consumerization involves the BYOD issue. And credit unions are taking different approaches to come up with BYOD policies. Credit unions are justifiably concerned about overtaxing their IT departments as they try to draft BYOD policies that balance employees’ needs with security concerns.

Productivity vs. risk

Nassau Financial Federal Credit Union, with $393 million in assets and located in Westbury, N.Y., currently doesn’t allow employees to mix personal devices with company resources, but Chief Information Officer (CIO) and CUNA Technology Council Executive Committee member Robert Reh says he can foresee a change.

“BYOD might be something we’ll be forced to do to remain competitive in the marketplace for top talent, but right now it hasn’t been,” Reh says. The potential upside of letting employees use their personal devices in the workplace is improved productivity, morale, employee retention, onboarding, and workflow for employees.

“Some people will say they’re more productive and can do their jobs better on their own devices because they’re more familiar with them,” says Reh. “The question is, how much productivity do you gain versus the additional risk?”

At the moment, an inclusive BYOD policy isn’t worth the risk and increased demands it would place on Nassau Financial’s IT infrastructure, Reh says. These policies require a lot of advance thought and consideration, Reh says. You’ll need to ask:

“Who maintains these devices and keeps them up-to-date with antivirus software and patches?” Reh asks. “How do you enforce these types of rules and policies?”

NEXT: Device wars

Device wars

CUNA Mutual Group’s BYOD policy permits a mix of devices including Apple and Android phones and tablets.

“We stayed out of the device wars and we’re letting users vote for themselves,” says Rick Roy, senior vice president/CIO for CUNA Mutual Group. “Credit unions have the same issues with their employees, and they’re solving that challenge many ways. Some aren’t offering any options because they’re not large enough to support the infrastructure needed to enable those options.”

But Roy says credit unions that have flexible BYOD policies might improve:

While BYOD might sound new, the idea of “business without borders”—as Diebold calls it—isn’t a new concept. Credit unions probably have similar experiences they can use to help shape their BYOD policies, such as cloud computing, laptops, or work-from-home policies.

Employees Have Privacy Concerns


Employees might not balk at giving employers the ability to remotely wipe their personal devices if something goes wrong, but giving employers the ability to monitor their use is an entirely different matter. Employees are concerned that employers might go too far and track or “stalk” them, according to CIO Magazine.

With mobile device management software, GPS, and triangulation, employers have the ability to track their employees’ whereabouts, even during off hours. Employers could collect personally indentifiable data and monitor device usage.

Most employees, as you’d expect, say that would be going too far. In fact, 82% of respondents to a Harris Interactive-Fiberlink poll say the ability to be tracked would be an invasion of privacy. State legislatures are looking into these privacy concerns. And conscientious employers are incorporating provisions into their BYOD polices that protect company assets and employee privacy.

If you have a cloud computing solution, it might not be as hard as you think to hook it up with employee’s mobile devices. Or you might be able to create a BYOD policy by looking at your credit union’s policy governing the use of laptops. “Look at what you’re doing for your laptops and apply that to mobile devices,” says Elkins.

Also, look at your credit union’s policy governing work-from-home arrangements. “If you already have policies in place for a remote workforce, those policies might transfer to BYOD,” Reh says.

Security isn’t optional

After reviewing your existing policy structures, you’ll need to decide on the devices and access levels you’re willing to support, Elkins says. Then, use PINs, passcodes, and encryption to set up a process that lets your credit union secure its data in the event of a problem.

CUNA Mutual uses a common security platform with hard authentication before granting access to its corporate network, and anything related to that network is encrypted. CUNA Mutual also can remotely wipe that information off the employee’s device. Company employees can choose devices, but the company decides on the network.

Roy suggests following these BYOD best practices:

“If you provide the choice of corporate or personal devices and employees can access corporate email and intranet, then employees don’t get a choice in how you protect it,” Roy says. “It’s more important to implement a standard security platform. You can tout choice, but security standards shouldn’t be optional.”

A common feature of BYOD policies is the employer’s ability to remotely wipe data from personal devices. While it’s important for employers to have this capability, they should consider using mobile device management solutions so they don’t delete important family pictures or other important personal data, Elkins says.

Mobile device management solutions provide security, reporting, and management of all devices using your network. Some solutions can partition personal devices, keeping business and personal uses separate. “This way, if you need to wipe an employee’s personal device of sensitive business data, it wipes only the business data and leaves personal data intact,” Elkins says.

Employee education

Employee education is critical when trying to manage the security aspects of a BYOD workplace, says Michael Ott, manager of governance, risk, and compliance for Diebold. Make sure employees know the risks and vulnerabilities, and have them sign off on it.

Employees also need to know what to do if their personal devices are lost or stolen. The first call should be to the credit union. If employees go to their wireless agents first to turn off their phones, it won’t be possible to wipe the devices of credit union data.

To effectively deliver the security message to employees, Ott suggests you:

CRAIG SAUER is Credit Union Magazine’s associate editor. Contact him at, or @CUNACraig