Last week I was one of the speakers at an ISACA Chapter event on mobile computing security. I was thrilled to be invited, not only because Malta, even in April, was always going to be warmer than Scotland, but because this is such an important area for discussion. To have the chance to present my more psychologically based perspective alongside well respected professionals in the field was a privilege.
I find it hard, after so many years of trying to sell my services as a ‘User focused Info Sec Specialist’, not to be excited that the growth of the use of mobile devices means that business and other organisations must finally confront the fact that not all Information Security can be solved by a combination of:
IT Security + Blame the User
When data leaks because the user fails to follow policy or procedures regarding their device we should no longer just cast eyes to heaven and say “What else can we expect from users? After all they are the weakest link”
Weakness in any system should draw the challenge to add effort, and even specialist expertise. Just because we are all human, it doesn’t mean we are all experts in dealing with people. If we were there would be far fewer family arguments for a start!
Mobile computing means that most of the time the organisation cannot be sure how securely their staff are in their device use. There is also the tricky possibility that the policies and controls, which are designed to ensure secure working on the move, are actually incompatible with the work staff are employed to do. Do you have a way to gather that sort of feedback and the means to find a solution? Is it ever used? If it isn’t, given staff will always moan, that indicates that for some reason this may not be perceived as a useful communication channel. In that case then the reason for that needs to be understood and a solution found. If staff are struggling to work securely you need to understand why.
Also, and this is a fundamental point that was echoed through a number of the presentations last week, do you fully understand the nature of the risks that mobile working brings to your organisation?Is it the issue of data interception when staff use open WiFi? Is it the content, or access to content, that the loss of a device can mean? Is it the potential corruption of data by malware downloaded when a device is shared; for example with a child on a long journey? There are a whole range of risks, but we can only target education, guidance and controls when those risks which are appropriate to the specific organisation are identified.
For a long time I have stood in front of a variety of audiences and discussed how managing the user can be sufficiently tricky that getting the insight of a specialist is a sensible investment. Ensuing discussions generally brought enthusiastic agreement, but then explanations that, while they, as Info sec professionals appreciated my skill-set their budget holders couldn’t. Sorry, they would have to use their own common sense.
I wonder how organisations deal with a blockage in the toilets? After all many people can fix minor plumbing problems in their own home. Surely the company could save a fortune using the skill of their staff to deal with such minor repairs. Am I being flippant? I don’t think so. Organisations, and sadly especially information security budget holders, are being flippant. They continue to resist calling in specialists in the user interface because we don’t come in nice shiny boxes (although I could if required of course) and we do something that they believe they really ought to be able to do without.
Most of all I want to stress that mobile information security management is about understand risks and devising workable solutions. Neither of these elements are totally technical. Business has to accept that they need to be able to gain the co-operation of staff to make mobile information security effective and even occasionally be brave enough to get help to do so efficiently and effectively.