Smartphone banking is today’s smart way of managing money on the go. We’ve all come to appreciate it for the simplicity and convenience it offers us. While the perks are great (quick access to funds, account balance summaries anytime, anywhere) safety and privacy have remained prime concerns.

For this reason, I’ve come up with a checklist of best practices to keep in mind while enjoying the smartphone banking experience:

1. Download your relevant banking application on the mobile device. Ensure that your banking app receives its software updates to avoid any exploitation of the software loopholes by hackers. Also, it is recommended that you use any tools or Internet browsers recommended by your bank. This way you may be certain that account information and any financial transactions are relayed in a secured and encrypted manner.
2. Refrain from using public wireless networks to avoid any hackers sniffing into your mobile device and stealing your important and confidential financial information. It’s a good idea to connect to your smartphone banking application over a secured or private wireless network.
3. Be cautious when accessing your account. Banking applications typically prompt the smartphone user for a login password each time they log in to keep a check on any fraud activity. If you find any unusual behavior while accessing your account details, report it to your bank for further investigation.
4. Cover your tracks! Some banking applications store sensitive and confidential data in clear text. After every mobile transaction, you must check for any data traces left behind on the phone.
5. Always lock your phone when not using it to prevent unauthorized user access. Check your phone settings and enable the auto-lock feature if you have a tendency to keep your phone unlocked.
6. Ensure that your mobile device has remote wipe installed or enabled. This security feature is a must; the foremost feature every smartphone user must set up lest the device falls into the wrong hands. Also, notify your financial institution about your lost device so that no texts or emails containing your account details or other financial matters will be sent to your mobile device.
7. Refrain from sending or sharing any financial data over text messages. It is an easy way of exposing critical information to hackers or cyber criminals. Also, delete or ignore any messages or emails received from unknown senders asking for your account details.
8. Use strong and complex passwords for your mobile banking account. It is a good practice to have passwords that are eight or more characters, using numbers, symbols, letters and punctuation instead of ‘1234’ or passwords based on your birthday or anniversary.

Do you have any recommendations for safe banking on smartphones? Please share your suggestions and comments below. If you’re a financial institution looking to keep your device inventory secure, see how an MDM solution can help.

This brings up a lot of issues for any industry where privacy and security is important. You want to make sure you know exactly where account information is and who has access to it. For banks and credit unions, the penalties for lost data can be severe.

You’ll need policies that give data access to those who truly need it. Policies that require passcodes, encryption, and more. Did you know that early versions of some platforms have very few security features? Policies, if enforced correctly, can be used to keep devices on later versions of the software.

Alerts are helpful, too. Would your IT department like to know when a device is jailbroken or rooted? How about when a user exceeds the threshold on their monthly data plan? Mobile Device Management (MDM) can do all this and more.

A good MDM solution lets you:

• Enforce passcode type, complexity, length and how often they have to be changed
• Specify if users can set their devices to show the text of the passcodes when they enter them
• Specify if the data on the device must be encrypted (when supported by the manufacturer)
• Turn off device features like the camera, Bluetooth, and tethering
• Blacklist, approve or require certain apps
• Specify enforcement actions that will be taken automatically if the device is out of compliance
• Securely push apps to devices
• Securely push documents to devices and prevent them from being forwarded, if necessary
• Perform actions on the device, including:
  • Remote wipe
  • Remote lock
  • Block
  • Locate
  • Reset passcode

For Financial institutions, it’s not enough to say that your devices are secure. You have to be able to prove it if you need to. If a device with financial information is lost, you’ll need to be able to prove that the device was encrypted, or that it was wiped after the loss was reported.

You’ll need to be able to see:

• All the software and apps installed
• If the device is fully encrypted
• The history of the device, including if it has been wiped
• The total roaming mobile data usage for the last six months
• Whether devices are owned by your institution or by the user
• If the device is jailbroken or routed (a potential source of malware)

If enterprise IT can learn anything from an old fairy tale, it’s that their house will be blown down when they don’t prepare for the danger at their door. The majority (~87%) of poll respondents from a 1,200-person Deloitte Webcast have acknowledged the threat of rogue devices–the big bad wolf–making this fairy tale applicable to a real life situation. The poll results can further be related to the tale when considering how enterprise IT has prepared for the threat of these rogue devices:

Tim Wilson of Dark Reading reports “40% of respondents don’t know whether their organizations have strategies, policies, proceedures, or technology controls in place to effectively enforce mobile security”

This percentage of IT and business executives are choosing to build their house from straw, and as a result are increasing their risk of a mobile security breach to their organization. We all know from the story that taking extra time to build a house of sticks still results in a house being blown down. Now is not the time to wait around to see what happens; set up a brick and mortar umbrella for your mobile-workforce before the big bad wolf comes knocking at your door.

Have you taken precaution? Let us know what you’re doing to prepare. If you could use a good starting point, learn how to start managing your smartphones and tablets in 5 minutes.

This recent headline is based on a survey conducted by Fiberlink and states that one in ten employees has “blatantly” violated IT policies at some point in order to be productive. Definitely an interesting statistic.

This made me wonder how many employees are inadvertently violating IT policies in the quest to be productive. I would hazard to guess some multiple of one in ten. Obviously, inadvertent violations cannot be measured by surveying the users, but understanding the scope of these violations is just as critical. This is where the security controls we place on the systems help, or at least where they should be helping.

The reality is that inadvertent violations are not only more numerous, but even potentially more damaging. Think about a ”blatant” violation. A user, in an effort to be more productive, defeats a security control to move a file, get to a restricted website or send confidential content via public email. Because there is knowledge and intent, there is also awareness and hopefully some prudence. They are more likely to monitor their own actions in an effort not to do damage.

When a user is inadvertently violating IT policy, they have no awareness and are blindly performing actions that can be destructive to their employer. Where does this conversation lead us? To the age-old question of awareness.

Awareness is a key ingredient in the security and compliance mix and can be effective on two fronts. The first front is awareness of the policies. This usually takes the form of published and communicated IT policy and guidelines that each employee understands and agrees to comply with.

The other dimension is the awareness of being monitored for compliance with the stated policies and awareness of the consequences of violations for themselves and the company.

The ability to make the individual aware on these two fronts must be considered when evaluating various security controls and there is definitely room for improvement in many enterprise organizations in this regard.

In general, employees can be trusted to comply with written policies; they want to comply and understand the need to comply. That said, on a daily basis they also make decisions about how to balance the need for security and productivity (as the Fiberlink survey teaches us). Determining the balance between productivity and security is not the exclusive domain of the security professional. In the mobility space, users still have a significant power in making these decisions because they are mobile and away from strong perimeter controls.

Taking a calculated risk to meet a need is human nature and we do it all the time. We speed when we are late for a meeting or event; construction safety is often compromised when deadlines are looming. Calculated risks are a way of life and expecting employees to apply a different way if thinking to IT policies than they do to the rest of their life is not realistic.

Given this reality, we can learn from other areas on how to gain greater compliance with policies. The biggest single influence in changing user behavior is the knowledge of being monitored. This has been demonstrated in a number of areas form the proliferation of CCTV systems to various traffic control systems (speed cameras and the like). Individual behavior is changed radically when there is knowledge that they are being monitored and knowledge of the range and scope of the monitoring.

Given the importance of awareness, another very important tool in achieving greater IT policy compliance is of real-time coaching or “in the moment” education. Even though an individual may be aware of a specific policy and understand that they are being monitored, they may not understand that an action they are performing is violating the policy. This is where the security applications and controls that are implemented can do a much better job. The same controls that are logging the violations and providing this information to a central console should also have the ability to educate in real time and use the event as a teaching opportunity to raise overall awareness.

Security vendors have traditionally not been great in this regard. They may prevent an action but many times the user is left frustrated and in the dark and looking for ways to defeat the control that blocked them.

As we evaluate and implement security controls we need to be thinking about the end user in all phases of security. Written policies need be understandable and effectively communicated. Security controls that are implemented should be evaluated for their ability to prevent and log violations but also their ability to provide information in real time to the end user on what the violation was and the consequences and importance to the company.

Have you ever violated company policies to be productive?  Comment below, and let us know.

Read the full suvey here.

On March 1st, 2010, the state of Massachusetts raised the bar for companies and their IT organizations by implementing tough legislation that requires new protections for customer data. Any organization that has customers located in Massachusetts will have to abide by 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, aka, the Mass Data Protection Law. This regulation applies to all organizations “who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts.”

This is a game changer in the security industry, as encryption will quickly become a requirement for all organizations that want to do business in the 3rd most densely populated state. Organizations that do not comply may, in the event of a data breach, be exposed to claims by the Massachusetts Attorney General, businesses and individuals under Massachusetts’ consumer protection statute. Aside from class action law suites and audit costs, non-compliant organizations can also be charged up to $50,000 per incident for improper record disposal, with a maximum fine of $5,000 per violation of compliance standards. In the event of an attack, this could cost a company millions of dollars. When TJX was compromised in 2007, it cost them $250 million dollars in just the first 12 months following the data breach. The Massachusetts state law, if it was in effect at the time of that breach, could have more than doubled this total.

Identify theft is a scary thing… It must feel good to be a Massachusetts resident and know that your state is looking out for your personal identity and holding organizations accountable. Expect other states to follow. Throughout history, Massachusetts has paved the legal road for many social issues, and shortly thereafter other states followed by enacting their own protections. We can be sure that regulations like this are not going away (for example, there’s Nevada’s re-vamped encryption law SB 227, and these regulations will continue to drive organizations to implement security standards and encrypt all data residing on their devices.

Deploying encryption software can strike fear in the hearts of IT organizations throughout the country that are already short of resources. “Companies needing to move quickly to implement data encryption should follow best practices and evaluate managed services that take advantage of cloud computing,” says Mark Nafe of Checkpoint. Other “best practice” recommendations include:

• Select the right technology based on your objectives. Full Disk Encryption tends to be more of a “set it and forget it” product line, which can enable organizations to move fast and gain compliance with this regulation. Other technologies allow you to pick and choose what to encrypt.
• Plan the project and design the solution. Ensure you have the right people in place, and offset burden wherever possible by taking advantage of managed service providers with experience.
• Prepare and configure the software. Be sure to test the software’s configuration on any and all corporate images you manage to minimize potential install failure rates.
• Remember everyone. Don’t forget those users that do not frequently connect to the corporate network.
• Track your roll out. Practice proactive management based on reporting and business intelligence. Watch for potential issues and proactively remediate where needed. Ensure that you have a reporting solution in place that will allow you to prove compliance with this regulation quickly and efficiently.

The key component of the Massachusetts Data Protection Law is this: “Encryption of all personal information stored on laptops or other portable device.” With MaaS360 and Checkpoint, you can protect your devices, and prove it. To learn more about how this managed encryption service can help, click here and request a demo.

With people working in a mobile enterprise, it all comes down to security.  Think of it in terms of a castle.  Everyone used to live within the confines of the castle where everything would be monitored.  Now, not only have people started to move out of the castle, but they are traveling around the world where they can’t be supervised.  At one time the traditional firewall and perimeter used to pose as the mote and reinforced drawbridge to keep out intruders, but the castle is now vulnerable to siege at a moment’s notice.  Portable devices such as laptops, netbooks, and smartphones open the draw bridge for substantial security breaches.  This need for protection is the King’s main concern.

It’s no secret that portability has become essential when accessing information in the business world, but there is a considerable amount of risk associated with mobility.  The Federal Trade Commission estimates that business data losses, as consequence from data theft and identity theft, amount to almost $50 billion annually. 

And to further emphasize the necessity for security improvements, Price Waterhouse Cooper conducted a study in 2008 of more than 7,000 IT and information security professionals with CIO and CSO magazines worldwide.  They found that “71% of respondents stated their organizations do not maintain an accurate inventory of where high-value data is stored.”*    

When this data is lost or stolen, the results are catastrophic.  It can lead to lawsuits, loss of a loyal customer base, fines from government agencies, and worse, leave immense weakness to the company’s systems.  We live under the assumption that compliance regulations will keep us safe, but the truth is that standards set by the industry leave us with a false sense of security. 

So can you ever have too much security?  No.  With a virtual landscape that changes daily, it’s critical to stay more protected today than you were yesterday.