By Nestor E. Arellano
It’s getting to be tiring hearing that tech users are data security’s weakest link.
Recently we reported on a study released by Symantec Corp. which outlined the key differences in the security features of Apple’s iOS and Google’s Android mobile operating systems.
The study noted that popular mobile gadgets such as the iPod, iPhone, iPad and the multitude of Android phones and tablets were designed for consumers and have “traded off their security to ensure usability to varying degrees.”
“These tradeoffs,” the report said, “have contributed to the massive popularity of these platforms, but they also increase the risk of using these devices in the enterprise.”
The manufacturers could have made a more secure product but the opted to lower their security posture in order to sell more units.
What about the issue of these devices being consumer items being brought into the workplace by their users?
Can you really blame the users when manufacturers do not actually specify their products as unsafe for business use but rather encourage their deployment in the workplace?
Admittedly there are users who use their personal devices and other services in ways that put their company’s network and data at risk. Symantec’s study titled A Window into Mobile Device Security did outline how some users resort to certain device and data synchronizing techniques not necessarily sanctioned by their company’s IT department.
These synching tools and techniques run the risk of bringing data from the protected confines of a protected network into the user’s personal network.
Okay, we can be a massive headache for IT and we can be a security risk (what isn’t these days). But we don’t need to be the “weakest link” forever. I believe this is something both users and IT can work on together.
Clearly, the run of the mill on-boarding memo on security does and don’ts doesn’t work. The same goes for merely having employees sign off on company security policies. More likely than not those documents are kept in drawers or shelves to gather dust – in workers’ cubicles as well as HR offices and IT departments.
Because we now live in an environment where security threats are constantly evolving, now more than ever, users need to be given up-to-date information and training on how they can lessen their risk profile and how their actions might be compromising the company’s security as a whole.
So IT administrators read up. Here are some facts that might help you tailor the appropriate security training program for us users:
It’s a cubicle world – We all have lives outside the office. But on average it’s likely that our view of security is one dimensional. We might tend to view security only as far as it affects our own responsibility rather than from the standpoint of accountability for the whole organization.
Help us understand how our actions might affect the company’s security posture – for example why we need to update five different passwords regularly.
Short term memory – Details of the security briefing back in ’99 might have slipped our mind. We need to be reminded about the basics and a few new threats now and then.
Maybe a quarterly employee awareness seminar would be ideal. Nothing fancy, come-as-you-are, cookies and coffee affair with nice slides about the latest companies being slammed by LulzSec or Annonymous, or the newest Trojan will do. Hey, it’s an excuse to get out (of the cubicle), who could resist?
Boredom and fear don’t sell – Emails that warn against clicking on malicious email, reminders against sharing passwords or surfing dangerous sites. They’re likely to be ignored because in many instances they come to us as white noise.
Many security experts say that to make employees more invested in security they need to be made aware of the security measures are imposed for their own benefit and that of the company.
If the “own benefit” part solely means not losing our jobs, that’s not necessarily the excitement-inducing formula we were looking for. How about some discussion on how security measures can help us do our job better or faster.
Ask me about it – Take the time to find out what we think, what issues we have or what we want in terms of technology and security. Seek our feedback on planned implementations or tech policies.
Maybe the quarterly security seminars might be a good venue for users, the IT department and management to air their views.
For instance, the rapid rollout of new mobile devices and introduction of various cloud-based services could be a good conversation starter.
Users want to know what personal devices they could bring into the company network.
For some organizations with certain security postures the answer might be a definite “none whatsoever” but for others, there could be some room for negotiations. It could even lead to new tech solutions that improve employee productivity and benefit the company.
Whatever the case might be, a good open discussion on the topic could avert a situation wherein employees resort to on-boarding personal devices on their own and using consumer-based services on the sly.
Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, connect with him on LinkedIn, read his blogs on ITBusiness.ca Blogs, email nestor at [email protected] and join the ITBusiness.ca Facebook Page.