Week 8: Bring Your Own Device Policies and Users


Bring your own device policies are another area of information technology where security professionals can find their best intentions stymied by users’ attempts to work around policies that don’t consider the user experience first. This came up in conversation with a classmate recently, and there are two primary cases where users circumvent BYOD policies. First, due to a shortage of resources users may not have access to organization-provided mobile devices. Second, users may prefer using their own devices because the organization’s provided devices are old, have an interface the user is unfamiliar with, or are inconvenient to carry or use. The latter case played out in the most recent US Presidential election, with one candidate’s use of her personal IT system rather than the approved government system during her time as Secretary of State becoming a major campaign issue. While most of us don’t need to worry about this level of exposure, either scenario can easily inspire users to use their own mobile devices for work despite the absence of organizational approval.

What, then, should we in the information security profession do about this tendency? Organizations should implement BYOD policies that support the widest practical range of user choices while still protecting the organization’s security. When security dictates a more restrictive or non-permissive BYOD policy, organizations should ensure that as many users as possible have access to organization-provided mobile devices and make those devices as capable as possible. Both strategies seek to secure the network while at the same time keeping the user experience at the center of the decision-making process—and thereby encouraging users to follow the policies rather than finding ways around them.

Comments

Post a Comment

Popular posts from this blog

Week 1: What is User-Centered Security?

Information technology professionals are familiar with the cycle: we implement strong security measures, but then receive negative feedback from users due to decreased functionality, additional "hoops" they are required to jump through, et cetera. Sometimes users even use work-arounds which can not only circumvent the new security measure but invalidate other aspects of the system's security. As an example for how well-intentioned security measures can backfire, consider the strong password policies that were the industry standard a few years ago. The requirements for high minimum character count, complexity via required character combinations, and regular changes drove many users to circumvent the password-based security entirely by writing their passwords down either physically or in text files. As a result, current NIST guidance recognizes this vulnerability and no longer recommends evaluating password complexity beyond comparing the user's chosen password again...
Read more

Week 9: Selling Security Education, Training and Awareness Programs to Users

I’ve frequently heard users complain to one another about the relevance, timeliness, or applicability of the training they just completed while on a break after a mandatory organizational SETA session. As cybersecurity professionals, we understand that SETA programs are a vital part of an organization’s information security posture. Verizon’s survey of databreaches shows that years of SETA programs are having an effect, helping make users more resistant to the temptation to click malicious links and more likely to report them during security audits. However, these connections are not as obvious to our users, who see SETA content as competing with work activities more tied to their core business functions. There are a few tricks I’ve found to help users take SETA training more seriously. First, by tying information security to the core organizational mission. If you can demonstrate to your users that the impact of the time spent learning about information security benefits the ...
Read more