Pub. 5 2016 Issue 1

The CommunityBanker 16 B BANK BYTES y now, I am sure you have heard the debate be- tween Apple and the FBI. As a refresher, the FBI possesses the iPhone of one of the San Bernardino terrorists. To assist with the investigation, the FBI has requested that Apple create a “backdoor” in their operating system to prevent the phone from wiping itself after a certain number of password attempts. The controversy surrounding this request is vast. More Privacy Equals Less Security One faction of the dispute argues that if Apple wins, we could maintain personal privacy at the cost of our national security. Due to a letter released by Apple on February 16, this conversation is not happening behind closed doors. The world is now watch- ing to see what happens. If hackers know Apple is going to protect their information from the government, there is more reason for them to use Apple devices as tools to achieve their ulterior objectives. A ruling in Apple’s favor would set a precedent that personal privacy trumps govern- ment security. More Security Equals Less Privacy The opposite side argues that if the FBI wins, a back- door created can never be undone. In the hands of hackers or, dare I say, cyberterrorists, this backdoor could allow access to information on hundreds of millions of devices. The devices our customers use to sign into online banking apps are the same devices that would have an intentional exploitable backdoor. A ruling in the FBI’s favor would set a precedent in which government security overrides personal privacy, and we could expect to see more of these doors opened in the future. Who Wins? There are no winners in this duel. If Team Apple wins, our threat landscape increases. If Team FBI wins, our threat landscape still increases. There will be fallout, regardless of the outcome. Financial institutions unfortunately fall right into the middle of the crossfire. We could spend time arguing about individual privacy vs. national security, but we can better utilize our time and resources enhancing our own cyberse- curity to protect our customers’ sensitive information. Your Information Security Program should already contain the keys to your metaphorical fallout shelter. Here are some things you should inventory as you prepare for whatever the future may bring: Review Your Risk Assessments. Your information security, internet banking, and other mobile device assessments should already incorporate applicable threats. These types of threats include digi- tal threats, such as exploitation by external attackers or guessed passwords. They also include physical threats, like lost or stolen devices or improper disposal of old phones. The next time you hold your phone, ask yourself, “What could go wrong?” and then explore the answers you discov- er with your security committee. Review Your Policies. You should have policies in place to define what your employees can and cannot do with their mobile devices. This includes not storing or accessing customer sensitive information on their devices, giving you permission to per- form a remote wipe, establishing whether mobile devices are allowed on the company network, and more. Your poli- cies are going to be the backbone for your controls. Review Your Controls. Controls are the practical application of your poli- cies. The FFIEC’s recent Cybersecurity Assessment Tool Individual Privacy vs. National Security By Alyssa Pugh, Software Support Specialist, CoNetrix