Convenience or Security?
Convenience or Security? It’s a dilemma encountered by IT professionals every day.
Smart phones, flash drives, and other personal mobile devices have become the norm within business environments today. Each brings unique features that contribute to business productivity and many professionals will tell you they are indispensable in their everyday activities.
So how can infosec professionals deal with the plethora of devices out there?
Ban them altogether and there is a very real risk that productivity will suffer. Allow them without having some sort of management plan in place and a costly data breach could be in your future. So, can mobile devices be managed without severely limiting their functionality and convenience?
Obviously, there’s no easy answer to this question. Much of how an organization handles its security policy will depend on the type of business it is and, the sensitivity of the information being handled (ex. – organizations dealing with HIPAA or PCI DSS compliance may have stricter security standards than those without such regulations).
The starting point, of course, should be a well written and detailed security policy; one that is explained and made accessible to all employees (for more on this, check out this article). Clearly communicating the policy to employees and providing training is essential since they are the ones who will be carrying out and following the guidelines (this includes CEO’s, VP’s and the like, but more on that in a minute). The security policy should clearly, and in layman’s terms, outline what devices can and cannot be used as well as what data should and should not be accessed.
There also needs to be some discussions with management regarding the penalty for not following the rules. Having a security policy in place is well and fine, however, there needs to be clear repercussions when the rules aren’t followed. I’m not endorsing capital punishment, however, something like a strike system might be in order. First strike is a slap on the wrist or stern look, second strike and the user loses their mobile device privileges for a week, etc. Organizations simply need to have systems in place to enforce their policies.
One last point on security policies: Review them, frequently. Technology changes quickly, so a review of your policy should be a regular occurrence. After the review, update what needs to be updated, redistribute to your users and retrain if necessary, then schedule another review down the road.
Once you have a good security policy in place, you need a way to enforce some of the rules outlined within said security policy. One of the best ways is with an endpoint security application. Endpoint security applications are available through a variety of vendors and come in a wide variety of configurations and prices. From simple USB device control to full system control, the choice will depend on your budget and needs.
In addition to endpoint security, some vendors offer remote management capabilities for mobile devices. If you have a rogue or lost flash drive, you can remotely erase it, negating any possible data breach. Be sure to investigate the options out there.
If you’ve read any of my previous posts you’ll notice a common theme. Encryption. It can’t be emphasized enough. Anytime I see a story about a lost or stolen hard drive or flash drive and find out it wasn’t encrypted, it makes me cringe. Encryption is relatively easy to use and administer. It doesn’t put any major damper on productivity either, so there really is no excuse for not using it. Buy devices with a high level of hardware encryption for the least effect on performance. If that isn’t an option, use software encryption if necessary. Just make sure you are using encryption.
Some other options to consider are devices with built-in anti-virus and that limit the number of invalid login attempts. These are useful for preventing malware and also brute force attacks should someone without authorization attempt to access the device.
I know these types of things can be difficult to enforce, but that is where the discussions with management come in. There needs to be an open dialogue between IT and management to convey the importance of security and potential repercussions (data breach fines, loss of customer confidence, damage to brand image, etc.). And speaking of management, it is important they set a good example for the rest of the employees. They need to adhere to the security rules and should be championing whatever security policies are in place.
Although there might not be a perfect answer to the convenience or security question, with the right policy, tools and management, a good balance can be achieved.