Mobile security: the right way and the wrong way
Should users be pushed or pampered?
Mobile workshop The team here at Freeform Dynamics has reviewed a lot of projects and gathered a lot of feedback from organisations implementing mobile technology over the years. One of the things we hit on in a report we put together earlier this year was how importance it is to engage and train users to minimise mobility related security risks in the right way.
The "human factor" is, in fact, important to get your head around in across the mobile space, and there's a general consensus among those with more experience of mobile working projects that you ignore this at your cost. The message we hear time and time again is that you need user input when specifying solutions to ensure that devices and applications are fit for purpose and will actually be used as intended to deliver the result you are looking for. You also need users to cooperate in terms of behaviour and practices to keep both risks and cost under control.
One Reg reader, Brett, summed up a lot of what we would regard as best practice in relation to user involvement in a recent mobile workshop post. Here is an extract from what he said:
"I treat our user community as adults. That means that I (as CIO) discuss their needs with them, listen carefully to what they want and what their issues are, then provide a list of solutions that covers their needs. Things like security, confidentiality, improper use of corporate assets - these are open and thoroughly explored, with feedback from the users individually as well as a community incorporated into our mobile technology planning. And it has paid off handsomely for us: our users understand the fundamental issues we're addressing from the company standpoint and have been remarkably resistant to misuse of corporate resources - mainly because we insure that the company takes care of their personal needs as well. We have a consistent set of policies that cover ALL aspects of personal communications, most of which reflects the user's requirements as well as the common corporate goals."
You can read the rest of Brett's post here, along with some other very good feedback from readers.
But does all this just amount to "pampering" users unnecessarily?
Well, some might think so and advocate a more dictatorial approach by the IT department in which users "get what they are given". Others might like the idea of a collaborative approach, but just think it is impractical in their environment, which is fair enough - Brett, after all, works in a relatively small company, and at the other extreme, getting sensible input from a user base of hundreds or thousands can be a challenge.
Whatever you view of what's desirable or possible, though, we appreciate hearing it, so if you have a minute, why not let us know what you think in our latest poll below:
Sponsored: The Nuts and Bolts of Ransomware in 2016