Grant Taylor, VP of Cryptzone UK, writes how IT departments must modify their security approach to keep up with the demands of a connected world.
The pace of business today requires that workers stay in touch, even whilst on the move. Access to email, data and applications, regardless of someone’s physical location or device used, has become a business imperative. In fact, the truth of the matter is quite simply that employee productivity, customer satisfaction and competitive advantage all depend on adopting mobile working practices.
But it comes at a price – how big a price is down to you.
In the past, IT departments have been reluctant to deploy mobile solutions for fear of the increased risks posed to information security. All too often devices were lost, or stolen, exposing the vulnerable data contained on the device itself. Instead of the benefits these flexible practices could introduce, the mobile device instead became a weapon of mass destruction turned against the corporate defences of the organisation.
However, while in the past saying no to users may have been an option, with today’s modern working practices it’s just unrealistic. This isn’t just in terms of restricting an organisation’s ability to function and therefore hindering its competitiveness, but also from the consumerisation of IT. With the price of technology affordable for the majority, many users are not only happy, but actually willing, to invest and use their own personal devices if it makes their life easier.
Instead of trying to block mobile devices, effective IT departments need to engage more collaboratively with their users in order to embrace these new technologies safely. Open communication, with the recognition that technical controls alone are not a fail safe mechanism to prevent failures in information security, is the key.
Three tips to peace and harmony
The implementation of workable security controls, that balance the needs of users against the real risks facing the organisation, is the only way forward. There are three primary elements to this:
The human dimension
Never forget the first line of defence for improving mobile security is your users. The sad fact is many wrongly believe that the IT department is trying to control them, rather than the actual reality of helping them, to do their job.
The main point to get them to understand and accept is why what they are doing poses a security risk to the organisation. Only once they fully comprehend the reasons for restrictions, will you gain their support.
Users won’t remember what they read when they first joined your organisation. And, actually, policies and practices need to be regularly revisited and changed over time to reflect advancements in technology and also reflect differences in the risks the organisation faces.
To address the human dimension you need to:
•Create, and then regularly re-visit, your home and mobile working policy making sure each key point is explained, in simple language, with no room for interpretation
•Focus your users’ attention by emphasising the consequences of non-adherence. Keep these personal, instant and non-negotiable
•As part of your communication and awareness programme introduce random testing to reveal gaps in understanding
The technology dimension
Introducing mobile connectivity is renowned for increasing help desk support. Although logical, yet often forgotten, is that the more complex the security access solution is, the more difficult it is for users, and therefore the amount of support needed will increase.
Instead, organisations need to keep three things in mind:
•Choose a solution that provides seamless interaction, with data and applications, no matter where people are or the device they are using
•Limit user access in relation to the requirements of their role balanced against the risks posed by their location or device
•Communicate with users why these restrictions are absolutely necessary, especially at the point of use, so they understand why they can’t do something and won’t try to circumnavigate them
The final dimension
This relates to flexibility. In an ideal world you may choose to prevent or restrict unauthorised use of peripheral devices on corporate computers. However, now or in the future, these devices could be deemed a necessary business tool.
Going back to our previous point of denial not always being an effective solution, instead, you need to devise methods that accommodate these necessary deviations:
•Encourage users to discuss the tools they need so you know what is out there
•Track and report on data movements and have a mechanism to obliterate content from lost or stolen devices
•Communicate the benefits of early reporting so users are not afraid to report losses immediately.
By developing mobile security initiatives with reference to corporate risk objectives that are important to end users, your IT department shares the responsibility with business managers and employees. The expectation becomes that everyone helps to mitigate risk proportionately rather than completely avoid it.
On-going education of the reasons behind security precautions, and how a user’s risky behaviour exposes them and the enterprise, with explanations of how it is being overcome is fundamental. Only then can you be sure that everyone fulfils their role in the battle to keep information secure.
To learn more –
