{"id":1380,"date":"2018-11-07T19:16:15","date_gmt":"2018-11-07T19:16:15","guid":{"rendered":"https:\/\/albanknews.com\/?p=1380"},"modified":"2018-11-07T19:16:15","modified_gmt":"2018-11-07T19:16:15","slug":"best-practices-for-financial-institutions-to-prevent-or-mitigate-intrusions-through-mobile-devices","status":"publish","type":"post","link":"https:\/\/albanknews.com\/?p=1380","title":{"rendered":"Best Practices for Financial Institutions to Prevent or Mitigate Intrusions Through Mobile Devices"},"content":{"rendered":"<p class=\"p1\"><span class=\"s1\"><i>by <\/i><\/span><a href=\"http:\/\/www.burr.com\/attorney\/fob-james\/\"><span class=\"s2\">Fob H. James, IV, Burr Forman<\/span><\/a><\/p>\n<p class=\"p2\"><span class=\"s3\">Mobile devices are widely used by employees of banks for good reason. They facilitate efficiency and productivity by allowing employees to work and communicate on the go; however, there is always a catch. The downside of authorizing work-related mobile devices is their use can potentially result in the loss of sensitive bank-owned data. Mobile devices provide attackers with additional points of entry into the bank\u2019s systems and points of origin to execute phishing or social engineering schemes.<\/span><\/p>\n<p class=\"p2\"><span class=\"s3\">Many bank employees access their work email accounts through their mobile devices. The mobile device itself is usually protected by a PIN code, but the device\u2019s email exchange is generally configured with a saved username and password. This configuration potentially exposes confidential information that is accessible in the bank\u2019s email system. It also invites phishing or social engineering schemes that originate from an actual employee\u2019s email address or text message. The success rate of these schemes greatly increases when the source is an authentic account. Data stored in core banking systems is also at risk if employees access these systems from their mobile devices. <\/span><\/p>\n<p class=\"p2\"><span class=\"s3\">Banks are increasingly using two-factor authentication to protect systems that contain sensitive data. The common method for two-factor authentication requires a user to obtain a token key generated by an app on his or her mobile device and then use that key in combination with a username and password. A misappropriated mobile device may provide an attacker with an opportunity to beat two-factor authentication defenses. <\/span><\/p>\n<p class=\"p2\"><span class=\"s3\">Bank regulators have taken notice of the risks associated with mobile devices. As a result, they have issued guidance recommending that banks identify risks related to mobile devices and maintain controls to mitigate those risks. For example, the Federal Financial Institution Examination Council (FFIEC) has released a suite of booklets as part of its comprehensive Information Technology Examination Handbook, which provides participating examiners with in-depth guidance for assessing or auditing the security risks to a financial institution\u2019s information systems and their implementation of information security programs, business continuity programs and overall risk management programs. These booklets also provide financial institutions with valuable insight into information security policies that they may be expected to implement to mitigate the risk of threats, including those associated with mobile devices. For example, FFIEC\u2019s Information Security booklet provides that: <\/span><\/p>\n<ul>\n<li class=\"p3\"><span class=\"s3\">Management should\u2026establish and supervise compliance with policies for storing and handling information, including storing data on mobile devices\u2026; <\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Management should implement automated patch management systems and software to ensure all network components (virtual machines, routers, switches, mobile devices, firewalls, etc.) are appropriately updated;<span class=\"Apple-converted-space\">\u00a0 <\/span>and<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Management should have policies explaining that employees should not and are not authorized to use unsanctioned or unapproved IT resources (e.g., online storage devices, unapproved mobile device applications, and unapproved devices). <\/span><\/li>\n<li class=\"p2\"><span class=\"s3\">Banks should understand the risks associated with work-related mobile devices, and in turn, adopt policies and procedures to mitigate those risks. The purpose of this article is to provide banks with a baseline set of policies related to both employee and employer-owned mobile devices.<\/span><\/li>\n<\/ul>\n<p class=\"p4\"><span class=\"s4\"><b>Policies that should be implemented or agreed to by employees, contractors, or any other person authorized by a bank to access its systems<\/b><\/span><\/p>\n<p class=\"p2\"><span class=\"s3\">Banks should implement the following policies to prevent the loss of confidential information through breached work-related mobile devices:<\/span><\/p>\n<ul>\n<li class=\"p3\"><span class=\"s3\">All information obtained through the bank\u2019s systems and all messages generated on or handled by the bank\u2019s electronic communications systems, including back-up copies, is the property of the bank. As a result, the bank reserves the right to review email, text messages, browser history, and information downloaded from the Internet, or any other source, using any of the bank\u2019s communication or network systems.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Employees who access the bank\u2019s information systems using a mobile device, whether at or within the bank\u2019s facilities or by means of direct access or remote log in, must obtain advance permission from the appropriate officer and\/or the bank\u2019s IT Department. The bank reserves the right to remove access at any time.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Employees using mobile devices and related software for network and data access shall, without exception, use secure data management procedures. All mobile devices must be protected by fingerprint recognition where available. In the event a PIN number is necessary, the PIN shall consist of at least six alphanumeric characters using a combination of numbers, case-sensitive letters, and special characters. The idle time before the mobile device triggers the entry of a PIN or fingerprint recognition must be set to 60 seconds or less. Employees must never disclose their passwords or PIN numbers to anyone. <\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">All users of mobile devices must employ reasonable physical security measures. Users are expected to secure all such devices used for this activity whether or not they are actually in use and\/or being carried. This includes, but is not limited to, passwords, encryption, and physical control of such devices, such as locking them in a drawer when unattended, whenever they contain or can access the bank\u2019s data.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Employees shall make no modifications of any kind to bank-owned and installed hardware or software without the approval of the bank\u2019s IT Department. This includes, but is not limited to, any reconfiguration of the mobile device. Employees shall not download any applications that are prohibited by the bank\u2019s IT Department.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">The bank has the authority to remotely wipe data on mobile devices, including personal devices, used to access the bank\u2019s systems. Remote wiping is necessary if the device is stolen, lost, or if the user is terminated (or, in some circumstances, suspended), or in other situations that the bank deems appropriate. The bank shall not be responsible for loss or damage of personal applications or data resulting from the use of company applications or remote wiping.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">At termination of employment, all bank-related confidential or sensitive information in any mobile device, whether company or personally owned, shall be copied and returned to the bank and then deleted or destroyed from the mobile device. The bank reserves the right to inspect such device(s) and any related storage media for the purpose of ensuring compliance with this requirement.<\/span><\/li>\n<\/ul>\n<p class=\"p4\"><span class=\"s5\"><b>Policies that should be implemented by the bank\u2019s staff <\/b><\/span><\/p>\n<p class=\"p2\"><span class=\"s3\">Those responsible for issuing or permitting the use of any work-related mobile devices should ensure that the following policies are complied with before and after issuing such equipment or permitting such access to employees:<\/span><\/p>\n<ul>\n<li class=\"p3\"><span class=\"s3\">Ensure that remote wipe software (MDM) is installed on any mobile devices prior to using the devices for work-related purposes. <\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Upon resignation or termination of employment, bank-owned mobile devices shall be reset to factory defaults using the remote wipe software. <\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that adequate cyber-risk insurance cover is provided for mobile devices issued by the bank for use in the United States and abroad.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that suitable virus scanning software is present and current on any mobile device authorized to access the bank\u2019s system(s).<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Supply suitable network connections and ensure that access procedures are applied if the mobile device is to be connected to a bank network.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that adequate storage capacity is available on authorized or issued mobile device to support business processing.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that adequate backup and restore facilities and procedures are in place.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that compatible versions of application software are in place.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that software encryption and\/or physical locking devices are in place.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that adequate records of the equipment are maintained, and that the issue is authorized and receipted.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that authorization for use of the mobile device is received.<\/span><\/li>\n<li class=\"p3\"><span class=\"s3\">Ensure that the Terms of Use are issued and signed.<\/span><\/li>\n<\/ul>\n<p class=\"p2\"><span class=\"s6\"><b>Summary<\/b><\/span><span class=\"s3\"><br \/>\nThe preceding policies are not exhaustive and may not be suitable for your bank. There is no silver bullet to prevent mobile device intrusions. Banks, however, should incorporate mobile device-related polices into their Information Security Policies. They should also develop and maintain procedures that are regularly updated as mobile device-related threats evolve. And most importantly, banks should train and educate their employees on the risks associated with mobile devices and how to prevent or mitigate intrusions.<\/span><\/p>\n<p class=\"p2\"><span class=\"s3\">Even if a bank is proactive, hackers may stay ahead of defenses, and intrusions will occur. Success from a legal standpoint is often obtainable when a bank can demonstrate that it implemented reasonable data security practices and made a good faith effort to identify risks and protect data. Plus, if a bank forces the attackers to lift a finger, there is a decent chance they will pass over that bank and breach someone else instead. <\/span><\/p>\n<p class=\"p5\"><a href=\"http:\/\/www.burr.com\/attorney\/fob-james\/\"><span class=\"s7\">Fob James<\/span><\/a><span class=\"s3\"><i> is an attorney in Burr &amp; Forman LLP\u2019s Birmingham office, where he practices in the firm&#8217;s Cybersecurity and General Commercial Litigation practice groups. <\/i><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>by Fob H. James, IV, Burr Forman Mobile devices are widely used by employees of banks for good reason. They facilitate efficiency and productivity by allowing employees to work and communicate on the go; however, there is always a catch. The downside of authorizing work-related mobile devices is their use can potentially result in the loss of sensitive bank-owned data. Mobile devices provide attackers with additional points of entry into the bank\u2019s systems and points of origin to execute phishing or social engineering schemes. Many bank employees access their work email accounts through their mobile devices. The mobile device itself [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":860,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[32,19,23],"tags":[],"class_list":["post-1380","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-board-briefs","category-breaking","category-publications","has_thumb"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/albanknews.com\/wp-content\/uploads\/2016\/09\/BB-web-header.jpg?fit=1109%2C858&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p4Y3P2-mg","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/albanknews.com\/index.php?rest_route=\/wp\/v2\/posts\/1380","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/albanknews.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/albanknews.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/albanknews.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/albanknews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1380"}],"version-history":[{"count":1,"href":"https:\/\/albanknews.com\/index.php?rest_route=\/wp\/v2\/posts\/1380\/revisions"}],"predecessor-version":[{"id":1382,"href":"https:\/\/albanknews.com\/index.php?rest_route=\/wp\/v2\/posts\/1380\/revisions\/1382"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/albanknews.com\/index.php?rest_route=\/wp\/v2\/media\/860"}],"wp:attachment":[{"href":"https:\/\/albanknews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1380"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/albanknews.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1380"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/albanknews.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1380"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}