Security Awareness Education for the Mobile Workforce
We live in an age of high mobility. Mobile devices let us be productive and on the go. However, all this convenience and flexibility comes at enormous risk. Critical data can be at risk depending on where and how users use their devices. Mobile device use has become the weakest link to a firm's data security.
While firms are scrambling to do everything to secure mobile devices, low security awareness among users continues to be one of the biggest barriers to establishing effective security. Security starts with your personnel.
However, mobile users need to know what to do and unfortunately users can lose interest in badly done or repetitive training programs with stale information. How do you effectively and continually educate your mobile users without losing their interest? How do you convince users that security benefits them as well as the firm?
There is no single way to build a security awareness program as each firm has different needs, but the following ideas can help build an effective security awareness program that empowers users:
The best approach is to not view mobile users as the problem, but treat them as the solution. Mobile users can be your firm's first and best defense. Empowering and educating mobile users to recognize and react to high risk or suspicious activities, not only empowers them, but it effectively puts more eyes and ears on your security.
Communications with mobile users should go two ways. While a firm can just dictate what users can and cannot do, if given the opportunity, users can provide valuable feedback on existing issues and potential problems that can lead to improvements. Encourage users to communicate with your security group.
Don't just say no. You must provide workarounds. Telling users to never click on links in suspicious emails is not enough. Users need understand the issue and have alternatives.
Provide routine and varied touch points to communicate issues to mobile users. Repetition is the key to success, but the information cannot just be sent over and over. Use variety and creativity to develop and deliver communications with mobile users.
Don't confuse security awareness with security training. Good security awareness is a state of being. Users ARE aware and know what to do because of educational efforts. Training is a means, not an end.
Where possible, make training participatory. Face to face training allows users to ask questions and participate. While video-based training can get be effective, it can get out of date quickly and often precludes good user feedback.
Ask for ideas. Encourage user feedback.
Make awareness relevant for the user. Security is not just a work issue for most people it is a personal one too. Issues that impact work systems can also affect a user's personal devices. Show how work-related security issues may also impact user issues.
Keep it up to date. A security awareness program with out of date content is a waste of everyone's time.
Measure it. If you can't measure it, you can't manage it. Keep track of metrics about your awareness program so improvements or deficiencies can be identified.
There are many specific things every mobile user should know. The following are some suggested best practices for mobile users:
Protect Yourself
Secure personal information—Not only can the firm lose critical data, but users stand to lose personal information too. Social security numbers, passwords, bank accounts, and more can be put at risk. Users need to be just as cautious about their personal information and be thoughtful about where it gets used.
Encrypt—Encrypt mobile data. Laptops, tablets and phones should all have their encryption features active. This makes it very difficult for data to be recovered by unauthorized users.
Don't respond to messages (text, voicemail, email, etc.) from unknown parties. Users should treat such messages and their content with much caution. Users should not open links to websites or attached files.
Back it up—Routinely back up user mobile devices and their critical data, if possible have a second and different form of backup in case the first backup fails.
Be cautious letting others borrow mobile devices. Users should keep their mobile devices out of the hands of others. When a device is out of their control, changes can quickly be made to the device without their knowledge.
Choose to use geolocation. Many online services now offer geolocation services. This service tracks the user's location and alerts them when their username has been used at a new location or on a new network. This is helpful way to be alerted to unauthorized access.
Connect with Care—Disconnect when Possible
Don't Connect—when in doubt, DON'T CONNECT to public Wi-Fi or Bluetooth networks. Limit what gets done on public Wi-Fi networks.
Disable Bluetooth when not in use—a Bluetooth connection is an open invitation to attack a mobile device. Teach users to disable them when not in use.
Routinely delete old Wi-Fi networks no longer in use.
Cellular networks also can run the same risk as a Wi-Fi network. Malicious actors can even set up their own cell towers to intercept traffic from a user's smart phone. Cell phones are set to lock onto the closet cell tower. When roaming in a strange new land, how do you know that the service you're using is legitimate? It can be hard to tell. Typically, lower connection speed is the only indication that a device has locked onto a faux tower. When traveling in a foreign country, turn mobile devices off when not in use and remove the battery if possible.
Hide! Make yourself as invisible as possible:
Use a personal firewall—Personal firewalls are a simple, unobtrusive, and inexpensive and provide a good baseline for securing a mobile user.
Use a disguised carrying case—put laptops or other mobile gear in non-standard bags, like a gym bag. If it doesn't look like a laptop in that bag, then a thief may move on to more interesting territory.
Most portable technology today has a microphone and even a camera. It sounds paranoid, but eavesdropping is a very real possibility. At a minimum, consider turning off mobile devices and removing the battery in confidential meetings to prevent any possible eavesdropping.
Okay, maybe stay a little visible—inevitably a user's data-carrying technology will get lost or left behind. Make sure to enable any "find me" feature on the user's mobile technology so there is a chance to recover any lost device. If it cannot be recovered, many devices now have a "remote wipe" feature that essentially wipes the device.
Keep it clean and simple.
Remove applications that are no longer in use.
An easy security measure to take is to minimize. If users don't need it—they shouldn't bring it. Consider traveling with fewer devices, less capable technology, or even perhaps throw-away technology with no data storage capability.
A new best practice is to sanitize mobile devices before and after a trip. Securely formatting and reinstalling ensures any technology is as secure as can be when starting a trip. Sanitizing devices after a trip ensures any security issues collected during the trip are gone.
Mundane, but important—These suggestions are basic, but important to remember:
Use a screen saver with a password—everyone walks away from their computer, a screen saver password does not provide perfect security, but it is a basic solution to help keep away unwanted eyes when you forget to logoff.
Log off the computer—logoff a mobile device when you are finished using it. This simple act is often forgotten.
Set a strong password and where possible use two-factor authentication (this requires two separate ways to identify a user, like a password plus a question) or biometrics (fingerprint, facial recognition, etc.) to unlock mobile devices.
Stay up to date—keep user mobile devices and apps up to date. Developers are routinely providing security updates that are critical.
Use antivirus software—AV not only protects the user, but also any network the user attaches to (work, home, clients). To be useful, AV software needs to be routinely updated and local drives scanned.
Mobile users are at the forefront of today security issues. They are taking data outside the firm and keeping their devices secure is of paramount importance. The best defense is not just technology, it is the people interacting with technology and making decisions. It is the goal of any security awareness program to keep these mobile users not only safe, but educated.
Sources
"The Global State of Information Security Survey 2017." PWC, 2017,
http://www.pwc.com/us/en/cfodirect/issues/cyber-security/information-security-survey.html
Ira Winkler. "9 reasons why your security awareness program sucks," CSO Online, June 3, 2016,
http://www.csoonline.com/article/3075722/security-awareness/8-reasons-why-your-security-awareness-program-sucks.html
"2015 CyberThreat Defense Report." CyberEdge Group, 2015,
https://www.netiq.com/promo/security-management/2015-cyberthreat-defense-report.html
Joanna Grama and Valerie Vogel. "Combating Security Uncertainty with Information Security Awareness." EDUCAUSEreview, Jan. 17, 2017,
http://er.educause.edu/articles/2017/1/combating-security-uncertainty-with-information-security-awareness
"2016 Report on Security Awareness Programs." SANS, 2016,
https://securingthehuman.sans.org/resources/security-awareness-report
Robert McGarvey. "How to Keep Your Mobile Devices Secure." Travel + Leisure, MARCH 2014,
http://www.travelandleisure.com/articles/how-to-keep-your-mobile-devices-secure
_____
Originally published in the online Thomson Reuters publication Practice Innovations on March 2017.
