Though Alexander Pope may have given birth to the phrase “To err is human,” thousands of CIOs have adopted the expression as a mantra-like mechanism for dealing with a major source of frustration.
That’s because even the most fool-proof and well-devised mobile security solutions can be compromised by careless or uncooperative end users.
“People are the biggest problem,” said Mark Weatherford, a former CISO and current principal at The Chertoff Group, during a panel discussion at the recent BlackBerry Security Summit. “We can provide all the tools but people tend to circumvent those.”
Similar sentiments were expressed in a recent The New York Times article, chronicling the role that remote access software may have played in high-profile security breaches and offering a preview of a recently released report on cybersecurity by the United States Department of Homeland Security.
“It is also a reminder that a typical network is more a sprawl of loosely connected computers than a walled fortress, providing plenty of vulnerabilities — and easily duped humans — for determined hackers.”
And that sprawl is only getting more unwieldy through the rapid adoption of workforce mobilization, which is extending access to behind-the-firewall information to devices that are easily separated from their human handlers, who tend to be less than vigilant about security. Malicious hackers are increasingly counting on end-user indifference, as well as mental lapses, laziness and general ignorance, to bore their way into corporate networks through mobile end points.
Plenty of evidence suggests that cyber criminals are pursuing a fruitful path, including this 2014 survey from Osterman Research conducted on behalf of Centrify. Here’s a sampling of the survey’s findings:
- On average, 45 percent of the enterprise employees surveyed have more than six third-party applications installed on their personal device.
- More than 15 percent have had their personal account or password compromised.
- 43 percent have accessed sensitive corporate data on their personal device while on an unsecured public network, such as the airport or a coffee shop.
- 15 percent of survey respondents believe they have “none to minimal” responsibility to protect corporate data stored on their personal devices.
The list of end user-enabled security risks is a long one. In addition to downloading and using unauthorized apps, accessing sensitive data over unsecured networks and eschewing prescribed security practices, as mentioned in the Osterman Research survey, end users routinely copy corporate content to unprotected devices or cloud repositories, or fail to take precautions to prevent device loss or theft.
The Chertoff Group’s Weatherford drew a collective headshake from the BlackBerry Security Summit audience with an account of a request from a fellow air traveler to plug a battery-depleted iPhone into Weatherford’s laptop. Weatherford, who denied the request — informing the iPhone owner that he’d sooner share his toothbrush — offered the anecdote as evidence of end-user ignorance and its potential threat to a business’s intellectual property.
But what’s a CIO to do? There isn’t an Enterprise Mobility Management (EMM) solution on the planet that can prevent an absent-minded executive from leaving her smartphone at the airport check-in counter or exiting a taxi without her tablet. An end-user mobile device policy has yet to be penned that can force end users to be responsible caretakers of the company’s digital assets.
Some sources advocate inserting a zero tolerance policy into BYOD rules and regulations — lose your phone and go straight to the unemployment line. In this recent CIO online article, senior writer Tom Kaneshige shares a sampling of steps some organizations are considering to reduce end-user carelessness:
“Some companies are getting tough, attaching BYOD security compliance to employee performance reviews, compensation and, in rare cases, termination. Maybe these measures, the thinking goes, will get employees’ attention.”
7 Steps to Mitigating End-User Risks
Ignoring the second half of Pope’s famous line, these CIOs apparently have no interest in forgiveness or divinity. But firing every employee who loses a phone – this source estimates that 4.5 million smartphones were lost or stolen in the US in 2013 – is far from practical. A more reasonable approach is to eliminate as many end-user security risks as possible.
Adopting the following guidelines and policies is a good place to start:
1. Simplify policies and training. As mentioned previously, mobile security usage rules are often ignored by the workforce, which views reading a tome of rules and regulations, replete with clauses and sub-clauses, as a productivity drain. While you’re never going to reach all of your employees, creating a set of recommendations that are easy to consume and simple to understand will increase readership penetration. A mandatory training session – again, short and to the point – is another way to disseminate the dos and don’ts of mobile security to end users.
2. Eliminate or limit BYOD policies. Now that the myths around the financial benefits of BYOD have been largely debunked, businesses have less incentive for employees to use personal equipment for transferring and storing content belonging to the business. Though device ownership probably won’t make a large difference when it comes to misplacing a smartphone or tablet, human nature suggests that employees tend to take care of corporate-issued property. But the real advantages of a corporate-liable approach, such as Corporate-Owned, Personally Enabled (COPE), is not preventing human error but reducing its legal and financial fallout.
3. Apply the KISS principle. As another panelist at the recent BlackBerry Security Summit, Mark Lobel, a principal at PriceWaterhouseCoopers Advisory, pointed out: “Complexity is the enemy of security.” By keeping it simple (stupid) and creating an experience that is as close to native as possible, employees are less likely to seek out workarounds, such as unapproved applications, which are major sources of malware and data leakage.
4. Get business leaders involved. Many end users still view IT as the bad guys, an obstruction to be avoided or ignored. By getting business leaders – including the CEO – to reinforce IT’s efforts to secure mobile end points, organizations may get better buy-in from IT-adverse end users.
5. Create a safe place for business data. By carving out work-only partitions, or containers, on mobile devices (both BYOD and COPE), businesses can reduce data leakage and slam shut backdoors into behind-the-firewall servers. Containers should be fortified with the ability to prevent end users from copying — accidentally or purposely – sensitive information into an unprotected portion of the device or leaking it through personal communications channels.
6. Invest in app vetting technology. Make sure your business’s mobility solution supports technology that will automatically screen downloaded apps for malware or noncompliance with corporate policies.
7. Assume mobile devices will be lost. Some sources estimate that about one out of five end users will misplace his smartphone. Until mobile devices can be embedded subcutaneously, businesses should take precautions against the “new” device owner siphoning off important information. A complex password is one of the most effective means of accomplishing that goal. While forcing end users to input a lengthy password smacks of violating the KISS principle, a trade-off might be to eliminate the requirement for end users to frequently change their passwords. As this excellent guide to improving end-user device security points out, many end users would rather deal with one lengthy password than juggling multiple short ones.