Many business managers dread those spirited discussions with IT about security procedures for mobile employees. They're often caught between users who just want to get to data and get on with their lives, and IT staff who want to restrict access to data. It is possible, however, to create a more secure environment without enduring major wailing or the gnashing of teeth.
Managers have to be more active in planning from the early stages. "Most line-of-business managers typically turn it over to IT to set security policy and install appropriate products," states Todd Christy, CTO of Pyxis Mobile, which markets mobile applications to the financial services industry. The problem is when managers avoid having anything else to do with the process.
Jon Gossels, president of network security services consulting firm SystemExperts, observes that, "When IT tries to lead these projects, you get policies that don't help businesses. They're seen as work-prevention policies. It's better if managers and IT work together to define needs because security policies have to be driven by business needs."
Fortunately, change is coming. "We're seeing line of business getting more involved," remarks Christy. "They're actively reviewing mobile applications to assess things such as encryption models, are the security features government certified, and how were vendors' security audits done. They're also asking IT or outside firms to do 'white hat hacking' and security reviews."
Robert Smallback, Jr., senior information systems manager for the Lee County Port Authority in Florida, reports that they use security analysts from Cisco, SBC and Siemens to perform hacking drills once or twice a year. "I vary the firms doing the security tests to keep the tests pure of preconceived concepts. We implement their suggested fixes to our vulnerabilities."
Moderation is key, though. Organizations don't want tech requirements developed primarily by business managers, because these can be impossible to meet. Someone might demand, for example, that "all this data needs to be encrypted." But when IT follows that directive to the letter, workers in the field discover the software does not work properly. Or they cannot get to the application because the encryption is too hard to understand.
Working with the Rank and File
Managers also have to work with their employees, because with them is ultimately where most security policies succeed or fail. Dick Mackey, a principal with SystemExperts, sees organizations increasing adherence to security policies by educating mobile device users on what the threats are and how to get work done while still protecting data and adhering to policy.
"You need to be sure that concepts taught are also reinforced," Mackey says. "It's one thing to check a box that says Bob was trained. But it's another to have a program to ensure that Bob continues to remember." Make sure that he has seen posters that tell people what a strong password is and how to choose a good one, or how to take care of handhelds. It's a marketing program within the organization, similar to posters used during World War II--"Loose lips sink ships."
The University of Utah Health Center uses AirDefense software to ensure security for medical staff who travel to various clinics or work from home. Intranet content trains employees on security policies, which is effective since people are used to getting training here for many aspects of their jobs.
"We also hold leadership institutes for business managers three or four times a year and security is part of these," states Bo Mendenhall, Chief Information Security Architect for the Center. "We've come up with FAQ documents that provide details on policies such as, 'How do I secure my home network? What should I look out for when I log on from Starbucks or the airport?' It's breaking down what I consider common knowledge into terms that average end users can better understand."
It's important to use this education process to also gather feedback that enables managers to direct IT on how to put technology processes in place to reinforce that learning. For example, display posters that inform users what a good password is, and then have IT configure systems to regularly require users to change and encrypt their passwords.
Managers need to have users define minimal amounts of data that need to be on devices at any given time. The most typical data breach is someone losing a laptop. Christy says that his company's software puts very little data on the device, since most of the data access is done in real time. "If the device is lost, you can kill data. But even if the device doesn't try to connect to the server, there is such a small amount of information on there that very little is at risk."
When Stuff Hits the Fan
Aside from hoping they get a chance to delete whatever happens to be on a lost or stolen device, the best thing managers can do to enforce procedures in the future is get to the heart of why something went wrong. According to Christy, you need to assess the nature of the breach. "Was there a clear malicious attempt to steal the device, or is it just lost? Understand where the gaps are in security. Is it in poor training or user resistance to following policy?" Gossells concurs. "Sometimes a breach is a good chance [for managers] to look critically at their operations to see if there should be changes. Knowing the motive behind this breach is key to understanding if the policy was sensible in the first place. A lot of times, people are subverting security because they're just trying to get their jobs done."
The worse thing you can do is overreact. "A lot of security consultants scare the crap out of people," says Bill Brook, director of IT at Children's Memorial Hospital in Chicago. "Sure, if you do things wrong, security breaches will happen. But really, how often is that going to happen? Worry enough--lock your door, set the alarm. But you don't need barbed wire and machine gun turrets."
Craig Settles is president of the Bay Area consultancy Successful.com.