How To Change Security Behaviors: Mobile Security
Let’s be honest, security has never been simple.
But when every employee has a connected mobile device in their pocket it can quickly become a terrifying prospect. More than ever, employees are in a position to cause tremendous damage to your organization.
But here’s the strange thing — Most organizations do very little to ensure their users exhibit security-conscious behaviors, particularly where mobile devices are concerned. Perhaps mobile security gets a brief mention in their annual yawn-fest security awareness training sessions… but that’s about it.
So if you’re going to get a handle on mobile security, you’re going to need to buck the trend.
What are the Risks?
OK, so you’re going to need to train your users in mobile security. But… what exactly should you cover?
Here’s what we suggest. First, identify all of the things that are likely to go wrong in the area of mobile security. Here are some of the primary candidates:
Unsecured WiFi — If you’re going to educate your employees, you’ll need to start right at the beginning. Most people simply don’t realize there are risks associated with connecting to the free WiFi at Starbucks while they wait for their morning pick-me-up. Unsecured WiFi networks are a goldmine for unscrupulous actors, who can use open source software to sniff out login credentials, browsing history, and more.
Unofficial apps — Everybody likes to download new apps for their phone. Unfortunately, for both iOS and Android, there are dozens of unofficial app stores teeming with malware, spyware, and ransomware. Downloading the wrong applications can easily endanger your organization’s sensitive data, and your users need to understand that.
Repairs / Jailbreaking — One thing to watch out for is users who accidentally damage their work mobile device, and choose to have it repaired externally. Third parties should never be given access to your organization’s mobile devices, and it should also be made painfully clear that alterations such as jailbreaking (also known as rooting) are never permitted.
Poor security Hygiene — Pretty much everybody knows how to use mobile devices now. Unfortunately, that means pretty much everyone has picked up dozens of bad mobile security habits, and they won’t stop when you put a corporate device in their hands. Basic security behaviors such as conscious browsing, not blindly following links, not clicking on advertising banners, and exercising caution when viewing email or social media should all be covered by your training program.
Mobile-Specific Threats — While many threats are consistent across mobile and desktop browsing, there are a number of mobile-specific threats that should be covered. URL padding is a good recent example, but there are plenty more to cover.
Loss and theft — Over the past two decades countless breaches have been caused by users accidentally leaving laptops or documents on public transport, or on the passenger seat of a parked car. Now we have something even better: lost and stolen mobile devices. Take the time to educate your employees in basic personal security, the “dos and don’ts” or having a work device, and what to do in the event of loss or theft.
Getting Your Point Across
Here’s the thing about changing behaviors: We all use mobile devices every single day… and as a result, annual training sessions have almost zero ability to cause change. They’re simply too little, too infrequently to have any real impact.
So what’s the alternative? Micro learning.
Instead of holding long annual training sessions in hot, stuffy classrooms, provide short, snappy training sessions much more frequently. You don’t even need to hold them in a classroom — Online training portals work exceptionally well.
The goal is to never allow your employees to forget about the security behaviors you want them to adopt. Training sessions can be just a few minutes in length, so long as they properly cover the point you’re trying to make, and communicate the potential cost of failure for the organization.
Focus on Behavior, Not Awareness
To be honest, we really don’t like the term security awareness training. Who cares about awareness when it’s behaviors that really count?
Well here’s the thing. Training is a great way to minimize cyber risk, but there are some cases where simply forcing employees to be secure is the better option. For instance:
Using security features – Yes, you can train users to religiously use security features such as setting up a passcode and changing it regularly. But wouldn’t it be easier to simply set these features as mandatory requirements?
Limiting personal use – Yes, some level of personal use is inevitable when you issue employees with a company device. But if you’re allowing employees to download and install apps themselves, you’re opening your organization up to unnecessary security risks. Once again, you could train employees in the importance of keeping work and personal devices separate… or you could simply remove the choice, and maximize security.
Use the Medium
When it comes to micro learning, online training makes complete sense. It’s instantaneous, doesn’t force employees to waste time traveling, and lessons are far more likely to be retained than with the traditional annual training model. Even better, online training makes it much easier to reinforce your messages on a regular basis than would be possible if you had to constantly arrange classroom sessions.
But with mobile devices in particular, you have an opportunity to take advantage of the medium — they’re a ready made platform for reinforcement. Everything from custom-built apps with push notifications to simple text reminders are fair game.
Test different methods, keep what works, and discard what doesn’t.
Consistent is Better Than Perfect
When you’re developing a new training program, it’s tempting to spend months trying to perfect it before rolling it out. But think about it — Human error causes a huge proportion of data breaches, can you really afford to wait?
Ultimately, the only way to change security behaviors is to consistently provide high quality training materials, and support your employees to change their behaviors over time. That means committing to your program for the long term, and consistently delivering powerful training in manageable chunks.
In other words, never give your employees the chance to forget the behaviors you need them to adopt.
*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Dane Boyd. Read the original post at: https://info.phishlabs.com/blog/how-to-change-security-behaviors-mobile-security