How Effective Are Mobile Security Policies?
McAfee teamed up with Carnegie Mellon University to examine the current state of mobile security across 14 countries, covering 1500 organizations. One of the key findings: 95 percent of organizations have policies in place for mobile devices. However, not even one out of three employees is aware of their company's mobile security policy.
This leaves us questioning the effectiveness of these policies within organizations that have adopted them.
Policy is a very relative term.
"Policy is a very relative term," says Chenxi Wang, VP and principal analyst for security and risk at Forrester Research Inc, an IT and market research company. "Some companies may have informal policies like just a sentence addressing mobile security in their employee code of conduct," she adds. "I bet that the 95 percent organizations that reported they have a policy include companies that have mobile security policies which do not address their current needs."
The survey also indicates that 64 percent of employees in these organizations have free access to surf the internet or download applications, in addition to keeping sensitive work-related information on these devices.
According to Winn Schwartau, Chairman of the Board to Mobile Active Defense, a software development company specializing in mobile applications, company leaders are scared. "[They] don't know what to do and how to control the usage of mobile devices on [their] network."
Schwartau finds that most companies do not know how to deal with mobile devices and do not have comprehensive policies that address the full spectrum of risks. Organizations continue to dwell on:
- Should a consumer device be connected to their networks at all?
- Should these consumer devices be used to conduct business?
- Should they allow their employees to use their personal devices to connect to the organization and networks?
"Organizations don't really know how to implement and go from policy to enforcing employee behavior in organizations," Wang says. "As an industry, we're still in the 'let's figure out policy' stage."
Also, one of the big challenges is changing the mindset of leaders who continue to approach mobile devices like they did fixed enterprise assets or laptops, says Lianne Caetano, director of product marketing for mobile solutions at McAfee. "The old ways will simply not work, because there is a much more complex ecosystem where there is device diversity with multiple operating systems and technical differences, making it very difficult for organizations to enforce these policies."
However, organizations can make a difference by investing time to draft well-written policies that are much more restricted toward employee behavior. For instance, they can begin to control their devices by locking them down and allowing only approved devices on corporate networks, as well as implementing security controls on mobile devices that dictate the kind of software that can or cannot be downloaded on the device, or which security features can be enabled.
To be effective, policies further need to spell the actionable consequences for employees not abiding by them, says Schwartau. "It has to be treated like jail breaking in case they bypass these rules."
Also, organizations need to raise awareness of these policies by communicating and training their policies with employees effectively as part of their user acceptance policy or employee code of conduct. To test these policies, they even can offer simple quizzes or conduct actual phishing test emails to validate the awareness level.
The consumerization of IT is all about employee productivity, but increased productivity is not without cost. Going forward, it will be interesting to see how organizations cope with these challenges and fill the gaps we see today.