The better workers understand how to safely use their mobile devices to conduct business, the greater your chances of avoiding a significant security breach and jeopardizing the organization's reputation.
A mobile device security policy means nothing if your employees don't understand it or, worse still, don't know it exists. No matter how comprehensive policies might be -- or how advanced the technologies you use to enforce them -- human behavior remains a critical and often misunderstood component in trying to protect sensitive company resources.
Your corporate security strategy should include a comprehensive education program that not only teaches workers how to safeguard their devices and avoid risky behaviors, but also to keep security a top priority, regardless of circumstances.When it comes to mobile security, there's a significant gap between policy and practice. Organizations are failing to educate their employees on the importance of mobile security and safe mobile device practices, leaving many workers to assume that they have no obligation to protect company resources and that mobile security remains solely within the purview of IT. As a result, mobile workers routinely put sensitive resources at risk.
Employers must educate their workers about potential dangers and what constitutes risky and unacceptable behavior. Without a carefully planned and executed program for training and educating mobile workers, organizations open themselves up to compromised resources, compliance violations, costly liability suits and the potential for irrevocable damage to their reputations.
Get started training your workers
Before you embark on a training and education program, you should have a comprehensive mobile device security policy in place. Your policy is a significant component of your overall security strategy and provides the foundation on which to build a training and education program.
Once your policy is in place, you'll need a plan for effectively communicating policy information. First and foremost, communications regarding mobile device security should originate in the organization's upper echelons. Workers must see that everyone at the top considers security a priority. Offhand remarks by middle management during lunch strategy meetings are not nearly as effective as companywide messages from the CEO focused solely on security.
Communications must also go beyond the dense and dry tomes of formal policy documents. Concepts should be broken down into easily understood chunks of information and supplemented with specific steps that explain how to secure devices and what behavior to avoid. The goal with all communication is to make sure workers have a clear understanding of what's expected. Information should be repeated as often as necessary to ensure everyone understands and is on board with the program.
To support your communication efforts, you should put into place a comprehensive training program that focuses on mobile device security. Although you'll want to target new hires specifically, all mobile workers should receive some level of periodic and continuous training. Information should be clearly communicated within the trainings, and those trainings should be regularly updated to ensure they remain effective and relevant. In addition, they should cover any topics pertinent to business operations and facilitate the easy exchange of information so employees can ask questions and receive the answers they're looking for.
Training should provide workers with the conceptual underpinnings they need to understand device security and hands-on demos that walk them through the steps necessary for securing their devices, configuring apps and working within a secure environment. If necessary, show them how to perform such steps as changing passwords, locking devices or implementing encryption. Not everyone will have the same technical background or capabilities, so be sure to take into account the needs of your workers and adjust your training accordingly. Make sure you provide workers with details about how to find additional information and support, with specifics on what to do if they run into problems or a device is lost or stolen. You might even survey your employees to verify whether they understand what's expected of them and what steps they can take to minimize risk.
Also, explain how to avoid risky behavior, such as installing unsanctioned apps, using unsecured networks or transferring data to personal email and storage accounts. Stress the importance of proper Internet use and how to access the corporate network safely, focusing on such issues as password Wi-Fi network usage best practices. The mobile device security policy should also spell out what employees can and can't do in these areas.
Some employees have no idea that their behavior is risky until you specifically point it out. Even the more advanced user doesn't necessarily understand such concepts as root certificates.
Once you’ve communicated the necessary background information, get into the details of the policies themselves. One policy issue of particular importance is that of data ownership. Many devices and mobile device management (MDM) software now support the capacity to remotely wipe a device if it is lost or stolen. If a device contains both company and personal data, the personal data can be destroyed along with the company data. Workers need to understand this in the event their devices go missing and they end up losing personal information. Some devices now support dual-persona technology, which segregates company data from personal data, and mobile application management, which gives IT more granular control strictly over corporate assets. But those capabilities are a long way from being universally implemented.
Also, be sure to educate your mobile workers on the best ways to safeguard their devices. This applies not only to built-in configuration settings and security-related apps but also to how to physically protect a device to minimize the risk of having it lost, stolen or in some way mishandled. It's important to stress the importance of reporting a lost, stolen or compromised device as soon as possible to mitigate possible fallout.
Tips on educating employees
Once you've committed to a training and education program, you must determine exactly what you want to communicate to your workers. A good place to start is with background information that explains why a mobile device security policy and employee training are necessary. You might go over the possible risks you're guarding against, such as violating compliance regulations, compromising private data or exposing your resources to cyber-criminals. Support your discussion with statistics that show how serious the consequences can be.
Part of your discussion should also include details about why MDM is needed and how it helps mitigate risks. Explain the importance of not disabling or overriding management or security software on mobile devices and provide specific examples. For instance, you might describe a scenario in which an employee turns off an antivirus app to save on battery life when offsite. Then, explain how one infected phone can open a company network up to potentially compromised or damaged systems. People in IT might get why all these safeguards are important, but other employees often need more detailed explanations.
Be sure to also inform workers of the consequences of not meeting their responsibilities. Different companies implement different policies for how to handle lost devices or data breaches, ranging from poor performance reviews to firing the guilty party. Whatever that policy is -- and this is a discussion you should be having with the human resources department -- mobile workers must fully understand what's at stake for them individually as well as for the company as a whole. Workers should know what is expected of them, what the consequences are if they do not meet those expectations, and what they can or cannot do in the event a device is lost or data is compromised.
Above all, senior management should provide an example for other workers to follow. If company leaders don't adhere to mobile device security practices, how can they expect their employees to?