On 26 September 2014, the Monetary Authority of Singapore (the “MAS”) issued a Circular on “IT security risks posed by personal mobile devices” (Circular No. SRD TR 02/2014) (the “Circular”). The Circular was addressed to the Chief Executive Officers of all financial Institutions (“FIs”) and the Chief Executives of all insurers.
The Circular addresses IT security risks posed by personal mobile devices, noting at the outset that “Bring Your Own Device” (“BYOD”) is a relatively new practice adopted by a growing number of FIs. The BYOD practice enables employees to access corporate e-mail, calendars, applications and data from their own devices.
This Circular points out the risks associated with the BYOD practice and the responsibilities of FIs in this regard pursuant to the MAS Technology Risk Management Guidelines (the “Guidelines”), considering the challenges in securing, monitoring and controlling these personal devices.
Factors which may hinder security measures
Under the Guidelines, FIs are expected to develop a comprehensive data loss prevention strategy and risk assessment to safeguard sensitive or confidential customer information. The Circular explains some of the risks associated with the use of BYOD:
- Impingement of privacy: An employee is able to install applications of their choice and object to the installation of security software;
- Diverse device portfolio: Employers may have to support a wider range of devices, operating systems and application combinations which may hinder security solutions;
- Lack of control over device updates: Software updates performed by employees may introduce security vulnerabilities and malware into their devices, thus jeopardising the FIs’ data and corporate systems accessible from these devices; and
- Maturity of mobile security solutions: Security solutions for mobile devices are still evolving and do not match the security available for desktop and laptop computers.
Solutions to address BYOD security
The Circular recommends the use of Mobile Device Management and Virtualisation solutions to address the risks mentioned above. Mobile Device Management (“MDM”) includes verification that a device is not “jailbroken” or similarly compromised. MDM solutions usually come with storage encryption, lock and wipe capabilities and can be used in conjunction with other security measures. There are also measures which would enable employees to have unfettered use of the device, while providing FIs with the ability to ring-fence and secure the work environment and device. The Circular states that a robust MDM solution should be implemented for all BYOD arrangements.
Virtualisation allows employees to have on-demand access to enterprise computing resources and data from their mobile devices using strong authentication and network encryption. Use of virtualisation would ensure no corporate data is downloaded onto the mobile device and can be used to restrict copying and use of peripheral devices such as removable attached storage, to help prevent data leakage.
The Circular instructs that FIs should not proceed with BYOD implementation if they are unable to adequately manage the associated security risks. FIs are also reminded to remain vigilant, to keep pace with technology advances and emergent threats should BYOD be implemented. Regular vulnerability assessments must also be carried out on the BYOD infrastructure.