Michael Lawrence, head of enablers, Orange Business Services
Security should no longer be a barrier to the adoption of mobile technologies, but it can still be a serious threat if organisations do not manage the human and technological elements effectively. Research shows that it is the users themselves that most open up organisations to security risks. Smartphones and powerful PDAs tend not to be treated with the same respect as a laptop, but they now hold similar amounts of sensitive corporate information.
However, there are some simple processes which can be put in place to ensure workers across an organisation are taking precautions when out of the office and information being sent and received is protected.
- Establish a policy that fits solutions to user and business needs - Ensure that security solutions can be adapted to fit the requirements of both the organisation as well as the individual needs of users. It is important that this is discussed at a business rather than technical level.
- Consult, do not prescribe - Every user should understand the company policy, highlighting best practices and etiquette that users can buy into. All employees should be informed and updated on mobile policy and given a simple and straightforward route for getting support.
- Evolve - Policy and processes need to adapt to changing technology, threats and usage patterns of mobile working.
- Top down - Do not make exceptions for senior or more experienced staff.
- Enforce - Policies must have teeth to be effective, and there are times when rules must be enforced.
- Simple support - Provide users with a straightforward route to getting support and advice; one number to call, one website to visit, or one email address.
- Support policy and processes with technology - Not, as is often the case, the other way round.
- Everyone is responsible - Encourage accountability and this should be lead by the top down.
- Get perspective - Not everyone is going to toe the line, so put in place a safety net of measures to deal with the most likely eventualities.
Big Ixie is right. If the users don't have the capacity to understand it will never work. People will always try to make the system fit to them. I use passwords with sequential numbers on the end. It's wrong, I know that, but the system accepts it and it's easy to remember. Synchronising those passwords across 6 systems is hard at the beginning of each month but I do it to make life easy.
How many times have you asked for a user ID over the phone and been told the ID and password? It's a massive change in the way people think. Currently they don't really understand the difference between them, or do I need to ask the question differently?
So education alone won't work. You need to make it very very easy and very much in the users interest to be secure. That is the challenge. The biggest challenge facing computer security today. If anyone knows the answer please post.
Management is the weakest link
You can have all the procedures you want, you can educate all you want, you will never avoid the day someone at a higher level than you comes in and says "I need this" in complete violation of standards that he might have suggested himself.
I agree with all the points that the article makes, and I mostly agree with the comments that have been made as well.
But what you really need to plan for is what you will do when said managers laptop comes back from home full of viruses, smutware and other threats, and gets logged back on to your network.
And your plan needs to answer one single question : will you lock out his access until he has asked you to purge the stuff, or will you shut your mouth and deal with the hundreds of infections that will inevitably follow ?
In one case, you might well get fired if the offender is high up enough (some people simply cannot be blamed for anything). In the other, you might not get fired, but you'll certainly rack up overtime in an impressive way.
All other contingencies are Nice To Have, but ultimately it all boils down to whether or not you are powerful enough in your company to keep your network safe.
If that is not the case, a speedy exit strategy is a must.
One Password to rule them all.
Do have ONE password that does everything, that way people have a "trained dog's" chance of remembering it (even a strong one). Manage changes centrally. Discard systems that can't fit in.
Do NOT have different passwords for: Desk Phone Voicemail, Mobile Phone, Blackberry, Laptop PC, Desktop PC, the other Desktop PC, each of the three different terminal services accessed from those desktops, one for the travel booking system, one for the timesheet entry system, one for the timesheet approvals system, two for the personnel appraisal system, etc... Do NOT manage changes on a per service basis with different renewal intervals.