Security Awareness Blog

Security Awareness Top Ten Topics - #8 Mobile Devices

This post is the eighth in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the eighth topic I like to focus on mobile devices. This category is proving to be one of the most challenging for organizations. The problem with these devices is not only do they have the power and functionality of a computer, but they are much simpler to loose. In addition, many organizations now allow employees to use their personal mobile devices for work. Finally, these technologies are changing so fast that it has become almost a moving target for policies and controls. So where should an organization start?

  • The first step is to define what mobile device are in your organization (tablets, smartphones, mp3 player, ?). One idea is to define the devices that have similar capabilities to computers, such as the ability to download and install apps or connect to a network. Then decide if personal mobile devices can be used for work, and what your organization's definition of a person device is. I have found organizations to have very different definitions and policies on personal devices, it can often be one of the toughest decisions an organization has to make. If you allow personal devices you may want to ensure you can enforce the controls I recommended below. However, the key point for your awareness program is to make sure you clearly communicate what your organization's definitions and policies are on mobile devices.
  • The second point I like to focus on is to treat these devices just like you would a computer. In other words make sure both operating system and apps are always current, that a firewall and anti-virus is enabled (if that is an option). In addition, just like your computer you want to ensure end users install apps only from trusted sources, and only those you need.
  • Finally, mobile devices are very easy to lose. I've lost at least one mobile phone myself. With lost devices a tremendous amount of confidential data can be compromised. Recommend strong PIN/Passphrases to protect access and potentially require employees to encrypt mobile devices. Also, you may want to consider remote wiping for lost devices. If employees are using personal devices, make sure the know and understand their personnal device may be wiped if it is lost and has work related information.

3 Comments

Posted December 29, 2010 at 8:59 PM | Permalink | Reply

HJohn

I think part of the problem is an improper rewards system.
The person who doesn't take the time to encrypt or who will put anything on their mobile device to take home and get more done usually has the higher throughput. Provided nothing happens ''" or at least nothing that management finds out about ''" it makes them look better than the person who takes the time to encrypt and won't take some work home because they understand the data is just too sensitive to transport.
To be sure, this improper rewards system is not deliberate, but real nonetheless.

Posted December 30, 2010 at 9:44 AM | Permalink | Reply

lspitzner

Actually, this is a really good point I never thought of. By using personal devices for work people are potentially more efficient (they know the device better, they add their own apps that improve productivity, they have it with them more) as a result they get more done and are more valuable to the organization. The best approach to this I can think of is implementing security controls that reduce risk but do not reduce or impede productivity. Then again, that is the challenge just about any security control faces, just more challenging when dealing directly with the human factor

Posted December 30, 2010 at 2:01 PM | Permalink | Reply

HJohn

Totally agree with you. Security is an important consideration, but not the only one. Whether or not a risk is worth taking is large a matter of circumstance'' some data is more sensitive than others, how much can be done away from the office, are alternatives feasible,etc.
It's a case where awareness and enforcement may be the best controls, if the cost is too high. I believe an improper rewards system is a problem, but that is not to say that increased productivity isn't a benefit. The problem is in the incorrect balance and lacking education.
It's worth noting that earlier this year, the Department of Defense (DoD) lifted it's 2008 ban on USB drives. Navy Department Chief Information Officer Robert Carey had some good comments regarding their use and versatility, and how the ban took away too much functionality.
See http://gcn.com/articles/2010/02/18/dod-lifts-usb-drive-ban.aspx
As always, great post!