If users are a security threat, how do you manage them?
Your problems answered by the experts
Mobile Clinic In our final mobile clinic, The Register's resident experts return to provide their opinions on the questions you've raised.
Question 1: "Argggghhhh. [My biggest problem is] managing the users who keep losing their damned handsets packed full of sensitive email addresses, emails etc. We talk a lot about technology, but aren't the users often the weakest link? What tips do the experts have for dealing with this?"
David Tebbutt, Freeform Dynamics
The reader who raised the above question is absolutely right, once the proper technical measures are in place, security is absolutely a human issue.
But it's no good fighting it. You have to recognise that handhelds will be lost, stolen or broken and plan accordingly.
Let's say that everything on the handheld is encrypted, periodically (and securely) synchronised and corporate access blocked without either the correct credentials or following notification of loss by the user, then all should be well.
But, for it to be well, you need to be sure that the user hasn't taped the password inside the battery cover or disabled the password altogether in order to make life easy for themselves. Freeform Dynamics' research shows that security awareness among users is low to non-existent in 80 per cent of organisations.
How can you raise awareness? Through education. It's no good documenting security policies or usage guidelines without drawing the users' attention to them in a meaningful way. Like, "IT has done all it can to protect you, now it's down to you to protect yourself and the company". I'd be tempted to add an "or else", but that would probably be counterproductive. However, they do need to understand very clearly that a handheld device is potentially a doorway to the organisation's secrets.
They wouldn't leave the office front door open at night. Or, worse, leave the safe open. Why on earth should they make their handhelds an even more dangerous equivalent?
The danger for most IT folk lies in their "but this is obvious" thinking. It isn't. Not to the average user. They'll happily chirp away on the mobile - on a train, for example. We've heard people giving their credit card details on a crowded train. Or they are very likely to leave their Bluetooth in discover mode or their Wi-Fi open.
It wouldn't occur to them that they are exposing their company to an unacceptable risk. They think largely in terms of their own convenience and the value the device brings to them. They want the rights and benefits, but are unaware of the responsibilities that accompany them.
So, we say, get a training programme in place. Either guidelines for small workshops or something more formal on a grander scale. It would be wonderful if a company like Video Arts brought its talents to bear.
The films are usually enjoyable as well as slamming home important messages in a memorable way. The trick is not to weigh the user down with masses of information but simply to get the risk message into their heads and identify the basic measures they should take to protect the company and, in so doing, themselves.
A final and invaluable step is to give them somewhere to go for help and advice. Somewhere on the intranet perhaps, or even a small help file in the device itself. And have an emergency support number to catch them when all else fails.
Michael Lawrence, head of enablers, Orange Business Services
Security should no longer be a barrier to the adoption of mobile technologies, but it can still be a serious threat if organisations do not manage the human and technological elements effectively. Research shows that it is the users themselves that most open up organisations to security risks. Smartphones and powerful PDAs tend not to be treated with the same respect as a laptop, but they now hold similar amounts of sensitive corporate information.
However, there are some simple processes which can be put in place to ensure workers across an organisation are taking precautions when out of the office and information being sent and received is protected.
- Establish a policy that fits solutions to user and business needs - Ensure that security solutions can be adapted to fit the requirements of both the organisation as well as the individual needs of users. It is important that this is discussed at a business rather than technical level.
- Consult, do not prescribe - Every user should understand the company policy, highlighting best practices and etiquette that users can buy into. All employees should be informed and updated on mobile policy and given a simple and straightforward route for getting support.
- Evolve - Policy and processes need to adapt to changing technology, threats and usage patterns of mobile working.
- Top down - Do not make exceptions for senior or more experienced staff.
- Enforce - Policies must have teeth to be effective, and there are times when rules must be enforced.
- Simple support - Provide users with a straightforward route to getting support and advice; one number to call, one website to visit, or one email address.
- Support policy and processes with technology - Not, as is often the case, the other way round.
- Everyone is responsible - Encourage accountability and this should be lead by the top down.
- Get perspective - Not everyone is going to toe the line, so put in place a safety net of measures to deal with the most likely eventualities.
Ed Moore, OpenWeb product manager, Openwave Europe
Educating and managing are very different things; one implies awareness while the other restrictions. If you do one then you may not require the other, but I can see a combination of the two working best.
Let’s start at the big picture for education and work inwards to specific points. I’d start with managing expectations and this should start well before an employee joins the company ideally. If you want to stay in control then be very clear about what is to be expected. If company policy states one mobile network and one make of handset which can only be changed after 24 months then say so.
Also say why, especially if it’s an argument that’s not factually based; ‘data security’ is good, ‘budget controls’ is also pretty good but I consider ‘compatibility’ to be less so as it opens up arguments which can be hard to win.
If your policy is to allow everything but a user is on their own in terms of support, that can also be a fine policy – if you have the power to stand up for it. Many a time I’ve seen a rogue user sheepishly approach a help desk for support even though they purchased a totally unsupportable piece of experimental kit. If you can’t say no at this point then you’re in trouble.
After awareness you should go for generic education and this should be a mixture of technical and behavioural; don’t leave your handset on view, use a headset in the car, backup your contacts, unplug your adaptor when not in use.
Make people aware of dangers; don’t leave Bluetooth enabled as your handset files can be read by someone else, put on passwords and lock the screen when idle, clear out sent messages from the Outbox. Such rules should be made in to a user guide and ideally training course, you then have everyone sign that they’ve understood it. At least it’ll get some attention that way.
What to do about specific device handset support and education? My recommendation would be to make a simple website and get users to visit it from their phone browser. It’ll force everyone to get that far and also gives you the User Agent. You can use this to show help tips for the particular device and makes it far more relevant.
Management is hard to decide on the correct level to apply. If you’ve been very restrictive in handset and network choice you can feasibly add in management controls, but otherwise it’s very hard. Device management packages and auditing controls do exist but you’re really specifying smartphones to do this, which makes the potential security issues that much greater. So are you better off?
The one I would recommend if you can get it through HR is to enable the potential for automatic handset tracking. In this way there’s a real opportunity to get a handset back if it’s stolen, but also serves to strengthen the perception of control. Simply knowing that a handset can be interrogated could serve as an efficient brake on user behaviour on a range of issues. ®