Access to email, data and applications, regardless of someone’s physical location or device used, has become a business imperative. In fact, the truth of the matter is that employee productivity, customer satisfaction and competitive advantage all depend on adopting mobile working practices. But it comes at a price, and how big a price is down to you.

In the past, IT departments have been reluctant to deploy mobile solutions for fear of the increased risks posed to information security. All too often devices were lost, or stolen, exposing the vulnerable data contained on the device itself. Instead of the benefits these flexible practices could introduce, the mobile device became a weapon of mass destruction turned against the corporate defences of the organisation.

But while in the past saying no to users may have been an option, with today’s modern working practices it’s just unrealistic. This isn’t just in terms of restricting an organisation’s ability to function and therefore hindering its competitiveness, but also from the consumerisation of IT.

With the price of technology affordable for the majority, many users are not only happy but willing to invest and use their own devices if it makes their life easier.

Instead of trying to block mobile devices, effective IT departments need to engage more collaboratively with their users to embrace new technologies safely. Open communication, with the recognition that technical controls alone are not a failsafe mechanism to prevent failures in information security, is the key.

The implementation of workable security controls, that balance the needs of users against the real risks facing the organisation, is the only way forward.

There are three primary elements to this.

1. The human dimension
The first line of defence for improving mobile security is your users. The main point to get them to understand and accept is why what they are doing poses a security risk to the organisation. Only once they fully comprehend the reasons for restrictions will you gain their support.
Users won’t remember what they read when they first joined the company. And, actually, policies and practices need to be regularly revisited and changed over time to reflect both advancements in technology and also differences in the risks the organisation faces. To address the human dimension you need to:

  • Create, and regularly re-visit, your home and mobile working policy, making sure each key point is explained in simple language with no room for interpretation
  • Focus your users’ attention by emphasising the consequences of non-adherence. Keep these personal, instant and non-negotiable
  • Introduce random testing to reveal gaps in understanding.

2. The technology dimension
Introducing mobile connectivity is renowned for increasing helpdesk support. Although logical, it is often forgotten that the more complex the security access solution is, the more difficult it is for users, and therefore the amount of support needed will increase. Instead, organisations need to keep three things in mind:

  • Choose a solution that provides seamless interaction, with data and applications, no matter where people are or what device they use
  • Limit user access in relation to the requirements of their role balanced against the risks posed by their location or device
  • Communicate why these restrictions are necessary, especially at the point of use, so users understand why they can’t do something and won’t try to circumnavigate them.

3. The final dimension
This relates to flexibility. In an ideal world you may choose to prevent or restrict unauthorised use of peripheral devices on corporate computers. However, now or in the future, these devices could be deemed a necessary business tool.

Going back to our previous point of denial not always being an effective solution, instead you need to devise methods that accommodate these necessary deviations:

  • Encourage users to discuss the tools they need so you know what is out there
  • Track and report on data movements and have a mechanism to obliterate content from lost or stolen devices
  • Communicate the benefits of early reporting so users are not afraid to report losses immediately.

By developing mobile security initiatives with reference to corporate risk objectives that are important to end users, your IT department shares the responsibility with business managers and staff. The expectation is that everyone helps to mitigate risk proportionately rather than completely avoid it.

Grant Taylor, VP of Cryptzone UK.