We are looking at allowing employees to access their bank email by using their phone. I am looking for information that would help us in evaluating the risks associated with this service. Any suggestions?

The security of the phones would be key.

You may want to have a chat with your bank attorney about drafting some "bring your own device" procedures, too.

Will employees be using their personal phones, or will your institution be supplying them?

And there are a ton of posts on use of employee owned phones.

Today's online American Banker has an article about security risk of BYOD. The first sentence states that these personal devices (phones and tablets) are the most likely place for customer data to be leaked according to a survey by the Ponemon Institute of US IT and data security practitioners.

I once had to field a customer complaint because a man picking up trash found my customers canceled check. The explanation was that the check had gone to a shred facility. On a windy day they lost some item as the truck was emptied. The check blew against a fence nearby, that homeowner picked up the check and sent it to my customer based on his address on the check.

Headaches with the customer, the shred facility, a mini nightmare for no reason. No way would I want an unsecured phone out there. It would need a strong passcode, the passcode needs to be used and the device needs to be able to be wiped remotely, a location capability is a plus. I'd prefer to separate personal and bank email as well.

But face it, IT needs to adapt. Smart phones and tablets are coming, laptops are going away. Email, and text messaging(!) is often a preferred communication and texting will be more so as the young generation matures into the banks profitable customers. My 20 year old son rarely does email - he texts. If I was a banker courting his business, if I texted him I'm be far ahead of the banker emailing him.

We use an email "app' on smartphones for company email. You do not get work email without it.

And while I do not recommend this app at all(and will not mention it by name) I would imagine that any such providers would be able to provide you with the research you need.

To be clear, this "app" essentially locks down certain functions of the phone, allows IT to remotely wipe in the event of theft or loss, and ensures a passcode to access the app itself.

And it is my personal device(i purchased it although work pays for service for me - for others in the company, work pays for a certain allowance per month)

Here only bank-provided phones can sync up to the email server. That way the bank has control of the phone and can wipe it remotely if it is lost/stolen/compromised. IT sets up security standards like a multi-digit PIN to unlock the phone. In addition, by being synced to the server, everytime the employee changes their name on the system, the password needs to be updated on the phone or they lose email access.

I'm not saying it's a perfect system, but it's how we've managed the risk so far. There will always be risks and we've tried to train employees to treat their phones like the computer on their desk... it's an access point to our system and needs to be protected like all customer data.

You say it may not be perfect, but it certainly is better than work on your personal phone that may or may not be reimbursed by your employer. As soon as bank IT needs access to something on your phone, having a bank-issued phone on your desk just made it simpler for your IT guy and reduced some legal risk for your bank. Can you imagine your IT guy accessing someone's personal phone in order to secure info that was needed?

Have to admire your bank, manimal, for sticking to one means of access and having advance training.

Same here

Thanks! We try CT!

We use Good Messaging on bank provided phones (currently bank uses iphone, Samsung Galaxy, or HTC Droid phones only). Can be wiped remotely. If an employee wishes to use a personal device for email it requires LOB Director approval and Good Messaging as well.

Ditto process here. I am the only one who is allowed bank e-mail access on my personal Iphone. I choose not to have a Bank issued cell phone as the majority of the time it's for my personal use.