We mentioned in our last post that security risks to mobile devices fall generally into three areas: theft, malware, and user behavior.  User behavior should be the easiest security threat to deal with.  Right?  Maybe.  (Don’t you love it when lawyers say that?) 

So, what are users doing (or not doing) that exposes their devices to security threats?  According to the recent McAfee/Carnegie Melon University study, as reported by CNN (Work-issued mobile devices emerging as key security risk), users are opening themselves up to security breaches, data theft and corruption by:

  • Not backing up data often enough;
  • Keeping sensitive personal information (e.g., passwords, pin codes, and credit card information) as well as work information on their devices; and
  • Mixing the use of their devices between personal as well as professional activities.

This user behavior problem is complicated by the fact that employees often feel very protective of their devices and the information they store on them.  Employees are often reluctant to change their behaviors or give their employers any more control over their devices than they have to.  Haven’t you heard people say, “My whole life is on that phone!”

Despite this reluctance, McAfee recommends that employers look for ways to enable and secure business and employee-owned mobile devices.  At the same time, however, according to David Goldschlag (Infosecurity, Many employees clueless on mobile security policies) it is important to balance “how you use the mobile device and get enough governance over the corporate data on the device,” while still “respect[ing] the privacy of the individual and … the right of the individual to use it for personal use.”  Goldschlag recommends having mobile security policies in place, “but applying them with a nuanced touch.” 

Conceptually, we like that idea…but what does “nuanced” mean in practical terms?  We think it comes back to these best practices – first, recognize that security threats to mobile devices are a real problem and don’t simply ignore the issue.  Second, put in place reasonable and appropriate polices to address security threats to mobile devices.  Third, follow up on the policy by educating and training employees on what mobile security risks are out there, and what steps they can take to prevent security breaches and then deal with them when they do occur.

Talk to employees about what might happen to all that data, personal and business, if they don’t implement some level of security.  The device does not need to be stolen or lost to alter or lose information – a three year old child can easily wreak havoc on your mobile device if given a chance – and they can do it in an amazingly short amount of time.  (Luckily, neither of our 3 year olds have done this because we both have our mobile devices secured with passwords.  Little kids have any uncanny ability to navigate technology even when they don’t really know what it’s for!)

In the end, we agree with Goldschalg that “users have a responsibility to their employer to protect corporate data, and … be an active partner in that process.”  Importantly, employees should want to be a partner in that protection considering the amount of personal data that is likely stored on their devices.  If the employee is not part of the process, your chances of success will be greatly diminished.  How do you engage your employees to be part of the solution?