How BYOD and industry regulations impact your fintech firm

At the fundamental level, enterprise technology exists to ease the burden of work-related tasks, helping users work smarter, not harder. Empowering people by simplifying work goes part and parcel with this fundamental belief, which forms the crux of Jamf’s mission statement – “helping organizations succeed with Apple.”

With a 20-year history of managing and securing more than 29 million devices for companies ranging in size from small startups to Fortune 500 – Jamf’s foundational partnership with Apple has served our global customers well through the vast insight into the latest technology, usage trends, and the modern threat landscape.

At the recent JNUC 2022 event held in San Diego, Jamf CEO Dean Hager took the stage to welcome online and in-person attendees, delivering a keynote presentation that touched upon some of the latest technologies and the partnerships that deliver the best-of-breed management and security experience to all stakeholders.

While there was certainly a lot to learn and be excited about at JNUC, BYOD — from a security and compliance standpoint — as well as how they interact to improve the much-lauded end-user experience really got attendees excited.

The aim of this blog is to crystalize Jamf as an industry leader in the management and security spaces respectively when it comes to helping organizations to succeed in securing and managing their Apple endpoints – regardless of the industry, their location or where their employees are most productive.

The role of security in compliance

There are a great many industries that are regulated around the globe. Whether they’re subject to comply with regulations based on industry, the regions in which they operate or due to governmental laws – or even all of the above – compliance exists for any number of reasons but make no mistake, the regulatory bodies and agencies that govern them take this role very seriously. Failure to comply often results in steep fines against organizations that violate regulations, including criminal liability due to willful negligence.

As you may know, Financial technology firms (Fintech, for short) are companies that work in the finance and securities realm, such as banks, investment brokers and the like. Financial institutions are considered a part of the highly regulated finance industry due to the requirement for extensive documentation – deemed sacrosanct for business continuity – of each transaction, every communication and actions taken, must be recorded so as to verify the chain of custody relating to all dealings. This is done to limit any semblance of impropriety while preserving market integrity.

Fintech firms pay the price

In September 2022, the U.S. Securities and Exchange Commission (SEC) fined sixteen fintech firms a total of $1.1 billion(with a “B”) in penalties after regulators tasked with investigating offenses found that each firm had violated recordkeeping provisions required of them in order to comply with federal securities laws. Simultaneously, the Commodity Futures Trading Commission (CFTC) assessed the same firms $710 million in penalties for “failing to maintain, preserve, or produce records” also required under the CFTC recordkeeping requirements, as well as “failing to diligently supervise matters related to their businesses” as registrants of the CFTC.

Combined, the $1.8 billion penalties imposed against the fintech firms center around what the SEC referred to as“pervasive off-channel communications” and “widespread use of unapproved communication methods”. The firms admitted to wrongdoing, including lying to investigators and trying to hide the “longstanding failures by the firms and their employees” from the investigation.

“Finance, ultimately, depends on trust. By failing to honor their recordkeeping and books-and-records obligations, the market participants we have charged today have failed to maintain that trust,” – SEC Chair, Gary Gensler

Why fintech’s response won’t work

Paying the fine is just one aspect, but it doesn’t do anything to remediate any existing compliance gaps. In response to the compliance concerns, several fintech firms are hiring consultants to address the shortcomings.

The proposed solution?

Invest in company-owned smartphones for all employees to restrict what apps employees can and cannot use, especially how they can communicate with clients, customers and one another within the firm.

What’s so wrong with that, you might be thinking. Well, it’s bad news for all stakeholders, since this workaround requires employees to now carry a second phone: their personal device they’re already using and have grown accustomed to alongside a business-only device, which will likely change their productivity workflows significantly.

While the company-owned offering will be managed by the firm to restrict unauthorized usage, the fact remains that this“solution” still does nothing to prevent users from simply reaching for their personal device when needing to connect with that all-too-important client. Additionally, it does nothing to prevent said clients from contacting employees on their personal devices, since compliance enforcement is limited exclusively to the company-owned devices while still relying on fintech employees to self-regulate their actions.

In other words, while useful in certain instances, the solution may be too cumbersome, adding an additional obstacle to helping users stay productive while erring on the right side of compliance. After all, if an employee’s company phone gets damaged or is lost and critical communication is made from the personal phone in a moment of an emergency, it’s game over – the compliance chain has been broken.

Other issues that impact user productivity, placing both data and compliance at risk are:

• Second device to manage daily means double the work:
  • Maintaining healthy battery life
  • Ensuring devices are patched/apps updated
  • Additional administrative overhead (ex. managing contacts and data on a secondary device)
  • New workflows may be difficult to use or not as user-friendly as existing apps/services known and used by users
  • Increased chances of equipment and data loss or theft
  • Greater investment costs to firms (devices, mobile device management, endpoint security, administrative work performed by IT, such as inventory management and costly support contracts)

Ultimately, this proposed solution results in a classic case of a new security policy actually worsening security by making it less efficient and more costly while negatively impacting employee productivity, leading to diminished quality of service provided to fintech customers, loss of revenue and potentially more compliance issues than it resolves.

What’s the right solution?

We’ll tell you! A better approach is to secure data and communications from threats – regardless of the device – allowing IT and Security teams deep visibility into endpoint health and security data, using that actionable data to enforce compliance with regulatory requirements all while allowing employees the flexibility to work with the devices and apps they feel most comfortable and therefore, will be most productive with.

As for the solution itself, well, it would look something like this:

• One modern mobile device
• Two telephone numbers
• Effective policies to enforce compliance
• Seamless user experience between personal and work communications

Jamf Trusted Access

Jamf is the market leader in Apple-first device management and endpoint security. While each solution can be used independently, even more powerful workflows are unlocked by integrating solutions to provide greater management capabilities that are tied directly to rich data telemetry that is collected from Jamf Threat Defense, securely sharing mobile endpoint health data with Jamf Pro to automatically patch devices that are out-of-compliance while policies enforce protections to ensure that data remains secure.

Furthermore, integrating these solutions with Jamf Connect, identity-based workflows not only simplify device deployments but make provisioning secured access to organizational resources a breeze, ensuring that users only have access to the resources they need to be productive – and nothing else – limiting the attack surface.

Speaking of identity and policy-based enforcement, Jamf Private Access evolves secure communication from legacy VPN to support Zero Trust Network Access (ZTNA), which keeps communications secure over any network, while also enforcing the principle of least privilege while verifying that endpoints and users making requests to resources are not only permitted to access it but meet the endpoint health requirements to be able to do so securely – without exposing data, apps or resources to risk from compromise or bad actors.

In short: Trusted Access is a holistic approach to security.

eSIM = One for work, the other for personal

Dual SIM technology has been around for many years, but often the benefit of having access to two separate voice and data lines came at the expense of significant battery drain to keep both lines active.

As with all things technology, this too evolved, bringing us eSIM. A digital SIM allows modern mobile devices to use a secondary voice and/or data line without having to retrofit a second physical nano-SIM card.

With eSIM technology supported on your Apple iPhone, for example, two numbers can be in use at the same time: one for business, the other for personal. Additionally, two data plans may also be supported, with separate voice and data lines existing to drive services for each specific use case without affecting communication integrity or compromising productivity – whether it’s for work or personal use.

Furthermore, since eSIM is fully supported by Apple and Jamf, managing one device with two voice and data lines is simplified. Jamf Pro fully manages eSIM settings along with the device itself, allowing the technology to meet the needs of the user without necessitating carrying a second device that could otherwise be used to circumvent compliance and data security requirements.

Implement usage policies and enforce them

The key to organizations meeting their compliance goals is to enforce endpoint security and align requirements with organizational policies, industry best practices and security frameworks to ensure devices remain compliant.

In the event that devices fall out of compliance due to security threats or risky behaviors, policies spring into action to correct the identified issue before it can lead to something worse. This is enforcement.

Let’s look at an example of a usage policy and how enforcing it could help fintech firms in a single-device, dual-line environment, shall we?

Leveraging Jamf Private Access along with IdP, organizational resources can be protected by ZTNA technology, requiring employees to not only authenticate using their company-provisioning credentials but the state of their device must meet minimum requirements, such as staying current with patches and app updates. If requirements are met, access is granted and employees are permitted to access protected resources. A policy can be implemented to ensure that whenever attempting to access organizational resources, the connection is automatically secured regardless of the network being used so that traffic is encrypted. Furthermore, business-related work, including communications and apps is segmented within the iPhone’s internal storage and kept separate from non-business data and apps stored.

Not only does policy verify that endpoints and users are healthy and have the correct permissions to access protected resources, but should a discrepancy be identified, access is denied and remediation workflows are executed to correct the issue before access can be granted. The policy also keeps business traffic secured through encryption without affecting user privacy, which is routed directly to the internet. Lastly, the risk of co-mingling business and personal data is mitigated by ensuring that business data stay isolated from personal data regardless of which apps are used or the ownership model used.

How does ZecOps factor into all this?

In addition to the comprehensive management and security solutions offered by Jamf to help organizations succeed with Apple, we recently welcomed ZecOps to the Jamf family. ZecOps Mobile XDR, or Extended Detection and Response solution empowers IT and Security teams to both discover and analyze mobile cyber-attacks across their fleet.

With unprecedented visibility into mobile device logs, organizations can discover sophisticated 0-day, 0- and 1-click attacks that would otherwise remain hidden were it not for ZecOps’ capability to extract, deliver and analyze critical data for indicators of compromise (IoC) and malicious activity.

This results in faster identification of compromised devices and more thorough investigations thanks in no small part to automated analysis that reduces manual investigation times from months to mere minutes. Furthermore, the efficiency-based processes protect user privacy by only analyzing data that is required for security investigations.

Simply put: less time wasted on analyzing useless data streams equals threats detected quicker and remediated before risk leads to a data breach.

Key takeaways:

• Fintech is a highly regulated industry, subject to both compliance audits and is among the highest targeted by cybersecurity threats
• Complicated solutions that don’t address the core problem are workarounds at best, providing a false sense of security at worst
• Juggling multiple mobile devices: one for work, one for personal use often impacts user productivity and loss of revenue stemming from additional work in maintaining two devices
• Streamline device management by focusing on one device and two voice/data lines to enforce compliance while remaining flexible for all stakeholders
• Trusted Access from Jamf blends device management, endpoint security and identity provisioning to holistically manage the device and application lifecycles
• eSIM technology allows organizations to add a second voice and/or data line to a modern mobile device, so users can keep business and personal communications separate without the added headache of maintaining a second device
• Aligning organizational and regulatory policies with policy-based management is the key to successfully enforcing compliance
• ZTNA technology encrypts business traffic over all networks while non-business traffic is routed directly to the internet, securing critical communications while upholding user privacy
• Segmenting business data from personal data on mobile endpoints, like iPhone, ensures that data never co-mingles, mitigating the risk of data leaks from various attack vectors
• Mobile XDR empowers IT and Security teams with deep visibility into logging data to speed investigations through automated analysis of IoCs and malicious activity