Why Mobility is Good for Security

I should get the Pulitzer for these headlines. It’s only an matter of time until they add blogging to the list of literary/artistic mediums.

What it should say, is that BECAUSE of Mobility/BYOD, the spectre of information security raises its head higher than it usually does (which isn’t saying much), thus getting the attention of the senior management who are either entirely focused on running their business, or busy running it into the ground.

I actually had first-hand experience a while ago of an organisation that is on its way to becoming a BYOD-free zone, and considering what they do, I don’t blame them. At least until they get their security culture and policies sorted out anyway.

Which is kinda the point, as very few things I can think of have put the business side and the IT side into greater confrontation.  Business wants increased productivity AND cost savings, and IT Security want …well …IT security.

I don’t think anyone can deny the inevitable increase in productivity when your work email is sent to the same device you spend vast portions of your life on (usually in order to avoid talking to actual people).  But then you also can’t deny that confidential information on a device that is insecure (currently) is a VERY bad idea.

I know there are BYOD ‘solutions’ out there, but none of them work, and most of them are downright crap.

So where do businesses screw-up?; easy, they look IMMEDIATELY to technology to solve the problem that only education and policy can solve (again, currently).

Here’s a scenario:

  1. A salesperson wants to send a classified contract to legal, should they;
    1. Just send it, because it’s to an ‘internal’ department?
    2. Password protect it if they have that ability on their mobile device?
    3. Never try to send it from a mobile device?
    4. Follow the corporate policy?
    5. Wait until the next day to send it securely from a known-good device?

The correct answer is d.

Hang on – you may say before hearing the explanation – why are b., c. and e. wrong?  They are not wrong, they’re just not right given that policy ALWAYS trumps what you think is the right thing to do.  If corporate policy says you can post classified docs to Facebook for feedback, so be it.  You’re company will be out of business, and your CEO in jail (hopefully), but that’s a perfect segue to my next point…

Do you think you have the right to question your company’s policies?

The answer is that you absoLUTEly have not only the right, but the obliGAtion to question policies if you consider them in any way discriminatory, incomplete, redundant, inappropriate, unworkable …you name it. Not only that, you have a further obligation to help enforce those policies, it’s your company as well.

Policies are supposed to be the parameters upon which the corporate culture if founded.  They define the CEOs perspective on everything from community programmes, to acceptable use, to expenses, and if the CEO doesn’t bother to create them (or at least approve them), as well as evangelise them, they will not be followed.

So, back to my favourite phrase; “Let’s be very clear; The CEO sets the tone for the entire company: its vision, its values, its direction, and its priorities.  If the organisation fails to achieve [secure BYOD though policy enforcement] , it’s the CEOs fault, and no-one else’s.

If you don’t think policy is the way to go on this, let me ask you one question; Would you follow company policy if this was the language in it; ‘All employees are strictly forbidden to send confidential information from their mobile devices.  All confidential data must be deleted immediately, and the matter reported to [department].  Any breach of this policy will result in dismissal, and subsequent legal action if deemed appropriate.’

I would.