The self-empowered BYO employee is as compelling to businesses as the proposition is terrifying. With a massive BYO movement afoot, organizations are scrambling to figure out how to reap the rewards of BYO while managing the risk. Better yet, they’re trying to fathom how to win end user buy-in when it comes to security.
The best laid out IT security policies mean nothing without end user buy-in. In today’s BYO climate managing security and risk is forcing company security policy makers to rethink everything. Yesterday’s my way or the highway approach to security won’t work with today’s BYO employee.
In this new IT world where the tech-centric employee is armed with their mobile device of choice, and cloud apps and web services of choice, what is clear is that companies have to adopt security strategies that move beyond shortsightedness and inconvenience.
What’s at stake for companies that don’t foster a culture of security is the potential loss of sensitive and confidential data, legal risks and being out of compliance, and a tarnished brand.
It’s no wonder why BYO is keeping IT security experts up at night. In a 2011 ISACA IT Risk/Reward Barometer North America survey, 58% of respondents said that any employee-owned mobile device posed the greatest risk to the organization. Forty-five percent said that the riskiest behavior employees engage in on a mobile device that has access to the corporate network is storing company data in an unsecure manner (ISACA is formerly the Information Systems Audit and Control Association).
Practicing cyber safety, such as not forwarding corporate emails to personal accounts, storing business data in the cloud, or using mobile apps to collect customer data, for example, is vital to every businesses mission.
It’s also essential to every employee.
“The goal is not to convince the end user that security is good for them. What needs to be clearly communicated is that security is aligned with the business objectives,” says Steve Ross, executive principal at Risk Masters Inc.
Practice Makes Good Business
End users should practice cyber safety because a security risk to the company can affect the business, their jobs and them in a significant way. Think about the implications if the company you work for loses intellectual property or becomes tomorrow’s headline news.
Practicing cyber safety also extends to how end users take care of the customer, which includes protecting the customer’s personal information.
“This is less about the user valuing technology and more about the end user wanting to protect the customer or protect the business from serious risk that can impact the user,” says Tom Corn, chief strategy officer at RSA.
That said, companies have a responsibility to retool security practices. “We have to take the security burden off of the end user,” he says. Security shouldn’t be a fire drill and it shouldn’t be viewed as a necessary evil. IT security experts have to ask themselves, is security a wall or a door?
That’s the imagery that will change people’s minds.
Oddly enough, creating a culture of security is less about the awareness of security and more about the value of the information businesses and users have access to. “A culture of security doesn’t start at the back end with the device,” says Ross.
An effective security culture is not an end in itself, but a pathway to achieve and maintain other objectives such as the proper use of information. It supports the protection of information while also supporting the broader aims of the enterprise, according to Ross who authored a book on the topic. There are many meaningful strategies for companies to consider that encourage rather than inhibit a culture of security while empowering the end user.
At the IT-level, security isn’t about any one device. It’s about supporting a device-agnostic infrastructure where security should be baked into every aspect of access to the network, data and applications. Protection of the corporate data through isolation from personal data should also be addressed, according to PwC Advisory Services.
Interestingly enough, today’s mobile devices and web apps have raised the bar on the user experience side. RSA’s Corn suggests that security must be more transparent and not burden the end user. That’s where more automated and risk-based security, such as authentication and transaction monitoring, comes into play.
Companies should also consider a reward structure to reinforce practicing cyber safety. Now while business decision makers may wonder why end users should be rewarded for doing what they should be doing anyway, it’s important to remember that cyber safety is about changing behavior and is more in tune with organizational psychology.
Devising a reward structure is about incentive rather than punishment.
Along the same lines, the language around security needs to change from being prohibitive and denying to allowing, encouraging and granting. Creating a culture of security is more apt to happen in an organization that views technology less as a risk and more as a benefit and talks less about authorizing and more about empowering.
A resilient company requires a resilient culture.