The IBM and Intel BYOD Playbooks

On: July 14, 2013
What can organizations do to increase mobile security awareness among their employees and in the process mitigate the many risks inherent to these devices?

Michael Fitzgerald, writing for CSO, observed, “Just because workers have smartphones does not mean they’ll be smart about security.” Exacerbating this condition, unfortunately, is that many IT organizations are falling far short in closing the “smart gap” by taking a “We’ll figure it out later” attitude. What happens when “not smart” meets “figure it out later”? Many organizations who fail to embrace the challenge of BYOD are about to find out.

So what can organizations do to increase mobile security awareness among their employees and in the process mitigate the many risks inherent to these devices? Because ignorance and procrastination are working together to undermine your best-laid security plans, the quickest, most cost-effective corrective action is to institute a proper security awareness program that includes BYOD content.

Two companies leading the development of best practices in BYOD are IBM and Intel—both of whom have rigorous security awareness training as a cornerstone of their information security strategies. According to the IBM policy, employees who want to use their own devices first must become “certified,” which they do by passing a mobile security awareness training course. Only then are they eligible to use their own devices. Likewise, Intel, in a

Likewise, Intel, in a whitepaper on improving security and mobility for personally-owned devices, reports, “We have found that conducting training sessions is an important element of a successful BYOD program…. We train users about the content and ramifications of the employee service agreement. We also teach employees how to protect information on their devices. We explain unacceptable usages, such as peer-to-peer software sharing, and unacceptable behaviors, such as loaning a personal device that has access to corporate data to a family member. Focusing on behavior modification has helped us improve information security.”

Instilling a security-aware culture is of particular importance in regulated industries where any compromise of the security of the corporate network can prove devastating. And where BYOD is concerned it’s even easier for employees to step outside the security bounds. Ken Hess, Senior Editor at Admin Magazine, observes, “Doing BYOD policy without having a security awareness component is inviting a breach.” He adds that user awareness is one of the most important security measures a company can implement, second only to firewalls and better password management. “It might sound trivial at first to say that user awareness is important to security but it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email. Not only does user education make the user aware of all the potential dangers of mobile computing, it also places a lot of the responsibility for corporate security onto the user. And that’s a good thing.”

He adds that user awareness is one of the most important security measures a company can implement, second only to firewalls and better password management. “It might sound trivial at first to say that user awareness is important to security but it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email. Not only does user education make the user aware of all the potential dangers of mobile computing, it also places a lot of the responsibility for corporate security onto the user. And that’s a good thing.”

“It might sound trivial at first to say that user awareness is important to security but it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email. Not only does user education make the user aware of all the potential dangers of mobile computing, it also places a lot of the responsibility for corporate security onto the user. And that’s a good thing.”

BYOD presents one of the biggest risks IT organizations have faced in the past ten years. It’s a trend that is driving control out of the hands of IT and directly into the hands of far less security-competent people. Smartphones, notebooks, tablets, and other employee-owned mobile devices mean proprietary information is now stored almost everywhere—including the employees’ personal cloud backup services, where it all gets uploaded on a daily basis. With this state of affairs, you can’t afford to wait to sort out the technology issues. In the meantime, the security gap is wide and growing wider. But you’re not without help. The most cost-effective and immediate measure your organization can take to stop that gap is to educate your people. To this end, BYOD presents a rare opportunity to engage your employees on security matters that tap their inherent levels of interest and motivation. That, as you know, is more than half the battle—and it’s just been handed to you. In the process, you’ll gain far more than mobile security awareness: in the bargain, you’ll start to build a security-aware culture that closes the doors on every other information security vulnerability, from phishing to social engineering. Time to take a page out of the IBM and Intel information security playbooks?

Smartphones, notebooks, tablets, and other employee-owned mobile devices mean proprietary information is now stored almost everywhere—including the employees’ personal cloud backup services, where it all gets uploaded on a daily basis. With this state of affairs, you can’t afford to wait to sort out the technology issues. In the meantime, the security gap is wide and growing wider. But you’re not without help. The most cost-effective and immediate measure your organization can take to stop that gap is to educate your people. To this end, BYOD presents a rare opportunity to engage your employees on security matters that tap their inherent levels of interest and motivation. That, as you know, is more than half the battle—and it’s just been handed to you. In the process, you’ll gain far more than mobile security awareness: in the bargain, you’ll start to build a security-aware culture that closes the doors on every other information security vulnerability, from phishing to social engineering. Time to take a page out of the IBM and Intel information security playbooks?

The most cost-effective and immediate measure your organization can take to stop that gap is to educate your people. To this end, BYOD presents a rare opportunity to engage your employees on security matters that tap their inherent levels of interest and motivation. That, as you know, is more than half the battle—and it’s just been handed to you. In the process, you’ll gain far more than mobile security awareness: in the bargain, you’ll start to build a security-aware culture that closes the doors on every other information security vulnerability, from phishing to social engineering.

Share this Article

Related Articles

Remind your employees to stay safe when downloading apps with our reinforcement animation
Video: Stay Safe When Downloading Apps
BYOD presents one of the biggest risks IT organizations have faced in recent years, and is especially dangerous after the holiday rush of new devices.
BYOD: The Nightmare After Christmas
Don't waste time and money on an awareness program that doesn't yield real results. Download our white paper for tips on improving your awareness program.
White Paper: 5 Strategies for Improving the Effectiveness of Your Awareness Program
Your employees are already playing Pokemon GO. Why not use it as an opportunity to teach them something?
Gotta Teach ‘Em All: Pokémon GO as An Awareness Opportunity