Corporate culture and mobile email

Mobile Security Poll

Mobile Workshop The majority of people would appear to be prepared to trust a well dressed stranger. Research has shown that if you stand outside a railway station in a suit you are more likely to be loaned some cash for a ticket than if you're wearing something less sartorial, a hoody for example.

But how do you establish trust when you can't use your senses, and you are considering someone based solely on their presence? eBay is possibly the biggest social experiment in this regard: there are sanctions for bad behaviour, but the system relies heavily on the naming and shaming potential of a bad rating.

If you spoke to people they would probably agree that they don't want to get ripped off, but would say that they are prepared to tolerate some degree of risk in this regard for the return they get from a working social system. eBay is easy to use, Blogs and social sites like MySpace are a method of self-expression, and it seems that many of us desire to put ourselves out there in the new Internet age. Some people are naïve: giving out your credit card details on a train is pretty daft, but many people do it.

It's clear from the feedback from our articles on mobile email that this culture is at odds with the discipline that is required for rigorous protection of corporate information; and if you overlay poor corporate culture on top of this you are creating an environment that is almost guaranteed to compromise sensitive information and run foul of compliance legislation.

In the mini-survey we asked questions about attitudes to mobile email, and over 60 per cent of you said that it creates a business advantage, with a further 20 per cent unsure, but presumably prepared to be convinced. Mobile is also being used for more than just voice, reflecting its adoption for remote access to corporate applications. Despite being a late entry to the push email market, Microsoft matched RIM as a strategic mobile email platform. This goes to further emphasise the point we made in previous articles that mobile email is here to stay, and that RIM and Microsoft are in the driving seat.

Although we write about IT, many of the people responding quite rightly concentrate on the softer issues of corporate culture and staff behaviour. The regular tests around the Infosec show reveal how easy it is to socially engineer sensitive information out of people. In San Francisco, jaded bank workers were happy to give out login credentials when offered a free Latte.

Effective management of personal storage devices is therefore a mixture of physical and electronic security. IT can put in place mechanisms that encrypt data, manage configuration and policies from the centre, and facilitate the replacement of lost devices. Service providers can offer these capabilities as part of a product package to smaller businesses that don't have the resources to do it themselves. Many of these features exist now on the BlackBerry, and are no doubt coming from Microsoft and the developer community on the Windows Mobile platform.

Creating an effective security culture is another matter altogether. In the Infosec example, people are usually genuinely surprised when it is pointed out to them how they have parted with sufficient information for identity theft, so there's clearly a willingness to listen. Information security represents a unique opportunity for IT and HR to work together on fun, but valuable, user education on the ways that sensitive information is gathered both from businesses and consumers. Entertaining and informative courses could therefore be offered that provide value to the business and the employee, and these can be linked in to training on the new mobile email toys that are being handed out.

We'd like to ask you therefore about your company's policy for technical and social education on mobile device security.®

This survey is now closed.

How would you rate your employees' attitude towards mobile data security?

Good - employees want to do the right thing to protect data
Average/variable - some will try, but the level of cooperation is inconsistent
Poor - most employees really don't care
No single platform (mixed strategy)
Undecided - the jury is still out
No firm plans to adopt anything

Do you have a standard mobile email device that is issued by IT?

Yes
No

How do you train people to use their mobile email?

Classroom training
One on one training
Written policies and guidelines
Ad hoc, DIY
We don't

How is your policy on protection of company data documented?

Confidentiality as part of terms of employment
Written policies or standard operating procedures
Both of the above
Neither of the above - we rely on people being sensible

Do you offer any training or guidance on avoiding identity and data theft?

Yes - company data only
Yes - company data and personal data
No

Approximately how large is your organisation (worldwide) in terms of employees?

Less than 10 employees
10 to 49 employees
50 to 249 employees
250 to 4,999 employees
5,000 to 24,999 employees
More than 25,000 employees
Unsure / N/A

Sponsored: 5 critical considerations for enterprise cloud backup