If you think your employees know the true cost of that stolen laptop or smart phone, you’d better think again.
“Employees don’t think about data in the same way that an IT or security person thinks about it,” said Mark Tauschek, senior research analyst at Info-Tech Research Group. For example, the average user will simply look at the direct cost of a lost laptop – maybe a couple thousand dollars on the high-end – instead of the extremely costly or sensitive data it held.
“That is, until somebody makes them aware that the laptop they just lost the 10,000 customer names or social insurance numbers on the hard drive,” he added.
When it comes to mobile devices, the best way to foster well-informed and responsible employees is to spend about an hour educating them, according to the London, Ont.-based mobility consultant. While many companies have begun enacting mobile device acceptable use policies, Tauschek said that those same organizations are not taking the time to explain why the policy is important and how it works.
“If there’s a mobility policy in place at all, most of the training I’ve seen consists of, ‘Here’s the policy, read it and sign it,’” he said.
The right way to do things is to accompany a policy rollout with a brief training session, outlining the main components of the policy and what responsibilities the user will have to be concerned about, Tauschek explained. He added that nothing in the policy should be left to interpretation or chance.
“For instance, if users have their own devices and pick their own plans, you need to clearly tell them how much the company will pay for,” said Tauschek. Also, if a laptop or smart phone is lost or stolen, employees should understand that the faster it is reported to IT, the faster it can be remotely wiped and secured.
Outlining the technical controls that are in place to ensure mobile device security, identifying the elements that fall under the responsibility of the user and clearly laying out the consequences of non-compliance should also be part of any policy rollout, he said.
Tauschek added that a short training session will have virtually no impact on staff productivity and does not come with any direct capital costs.
“For 2009, it’s something that every company should be doing,” he said.
Of course, the only thing more important than emphasizing the consequences of mobile device misuse to your staff, is the acceptable use policy itself. With companies increasingly giving mobile or field-based employees direct access to critical corporate apps, existing security, authentication and management infrastructure must be enhanced to ensure mobile devices are managed as effectively as desktop PCs.
But that’s not the case in many enterprises today, according to industry experts. “What we see is an ill-defined policy regarding devices,” said Dan Croft, president and CEO of Lincolnshire, Il.-based Mission Critical Wireless LLC, a technology services company that specializes in mobile deployments.
Often personal handhelds are granted wireless access, something that would never be allowed with a personal computer, creating security vulnerabilities, manageability challenges and tech support burdens, Croft added.
“IT needs to get control of wireless [mobility] within their company,” he said.
According to Jack Gold, an independent technology analyst based in Northborough, Mass., mobile policy falls into four broad areas: securing and managing every device; managing every connection; protecting every piece of data; and educating every user.
Other guidelines to consider, according to Tauschek, include ensuring all mobile devices are registered with IT, making sure data is protected by strong passwords, and that IT provides centrally managed encryption for mobile devices.
Tauschek said the IT department should put the onus on itself to implement the technical measures that ensure mobile security.
“Anything that can be controlled by IT, within reason, should be,” he said. “That’s not to say that if you don’t have the proper infrastructure in place that you shouldn’t be rolling out a policy though.”
If, for example, a centralized data encryption is not in place, IT managers should make sure that users encrypt their own data and are provided the tools and know-how to do so, Tauschek said.
— With files from IDG News Service