Make love not war!

December 2011 Information Security

The pace of business today requires that workers stay in touch, even while on the move. Access to e-mail, data and applications, regardless of someone’s physical location or device used, has become a business imperative. In fact, the truth of the matter is quite simply that employee productivity, customer satisfaction and competitive advantage all depend on adopting mobile working practices.

But it comes at a price – how big a price is down to you.

The security battlefield

In the past, IT departments have been reluctant to deploy mobile solutions for fear of the increased risks posed to information security. All too often devices were lost, or stolen, exposing the vulnerable data contained on the device itself. Instead of the benefits these flexible practices could introduce, the mobile device instead became a weapon of mass destruction turned against the corporate defences of the organisation.

However, while in the past saying no to users may have been an option, with today’s modern working practices it is just unrealistic. This is not just in terms of restricting an organisation’s ability to function and therefore hindering its competitiveness, but also from the consumerisation of IT. With the price of technology affordable for the majority, many users are not only happy, but actually willing, to invest and use their own personal devices if it makes their life easier.

Instead of trying to block mobile devices, effective IT departments need to engage more collaboratively with their users in order to embrace these new technologies safely. Open communication, with the recognition that technical controls alone are not a fail safe mechanism to prevent failures in information security, is the key.

Grant Taylor
Grant Taylor

Three tips to peace and harmony

The implementation of workable security controls, that balance the needs of users against the real risks facing the organisation, is the only way forward.

There are three primary elements to this:

The human dimension

Never forget the first line of defence for improving mobile security is your users. The sad fact is many wrongly believe that the IT department is trying to control them, rather than the actual reality of helping them, to do their job.

The main point to get them to understand and accept is why what they are doing poses a security risk to the organisation. Only once they fully comprehend the reasons for restrictions, will you gain their support.

Users will not remember what they read when they first joined your organisation. And, actually, policies and practices need to be regularly revisited and changed over time to reflect advancements in technology and also reflect differences in the risks the organisation faces.

To address the human dimension you need to:

* Create, and then regularly re-visit, your home and mobile working policy making sure each key point is explained, in simple language, with no room for interpretation.

* Focus your users’ attention by emphasising the consequences of non-adherence. Keep these personal, instant and non-negotiable.

* As part of your communication and awareness programme introduce random testing to reveal gaps in understanding.

The technology dimension

Introducing mobile connectivity is renowned for increasing help desk support. Although logical, yet often forgotten, is that the more complex the security access solution is, the more difficult it is for users, and therefore the amount of support needed will increase.

Instead, organisations need to keep three things in mind:

* Choose a solution that provides seamless interaction, with data and applications, no matter where people are or the device they are using.

* Limit user access in relation to the requirements of their role balanced against the risks posed by their location or device.

* Communicate with users why these restrictions are absolutely necessary, especially at the point of use, so they understand why they cannot do something and will not try to circumnavigate them.

The final dimension

This relates to flexibility. In an ideal world you may choose to prevent or restrict unauthorised use of peripheral devices on corporate computers. However, now or in the future, these devices could be deemed a necessary business tool.

Going back to our previous point of denial not always being an effective solution, instead, you need to devise methods that accommodate these necessary deviations:

* Encourage users to discuss the tools they need so you know what is out there.

* Track and report on data movements and have a mechanism to obliterate content from lost or stolen devices.

* Communicate the benefits of early reporting so users are not afraid to report losses immediately.

Together we are stronger

By developing mobile security initiatives with reference to corporate risk objectives that are important to end users, your IT department shares the responsibility with business managers and employees. The expectation becomes that everyone helps to mitigate risk proportionately rather than completely avoid it.

On-going education of the reasons behind security precautions, and how a user’s risky behaviour exposes them and the enterprise, with explanations of how it is being overcome is fundamental. Only then can you be sure that everyone fulfils their role in the battle to keep information secure.

To learn more about mitigating risk with Cryptzone IT security solutions for policy compliance, secure access, endpoint security and content security visit www.cryptzone.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Upgrade your PCs to improve security
Information Security Infrastructure
Truly secure technology today must be designed to detect and address unusual activity as it happens, wherever it happens, right down to the BIOS and silicon levels.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.