The most effective way to gain control over employee smartphone and tablet device use in the workplace is to develop...
a formal BYOD security policy and effectively communicate BYOD security issues to employees, according to a security expert overseeing his company’s program. Many enterprises can set and properly enforce a mobile device security policy without a mobile device management (MDM) platform, said Darrin Reynolds, vice president of information security at New York City-based Diversified Agency Services, a division of Omnicom Group. Reynolds, who recently gave a presentation entitled, “Building a Top-Down Awareness Program for Mobile Users,” at the 2012 InfoSec World Conference and Expo, spoke to SearchSecurity.com about effectively creating and communicating a BYOD policy. Make the policy as simple as you can, he said.
If it is going to support or receive corporate data then you have got to play by our rules.
Darrin Reynolds, vice president of information security, Diversified Agency Services
Q: What is the most important step in effectively communicating security policy?
Darrin Reynolds: I think one of the things that is key in communication is a lesson that I learned long ago: Write it in crayon. Make it as simple as you can. Keep it short, sweet and on point. If you can get the users to be aware of the security elements in your environment, they absolutely will be your best line of defense. They are the ones who are going to spot things and they are going to report it assuming they know what to spot and know who to report it to. When it comes to mobile security, I want them to be aware of what is at risk; not only with theft, and loss or the exposure of information, but other risks, such as what they face as they are mobile. It has nothing to do with the device, but the types of environments that are going to put them at risk and what are those risks and how they should address them.
Q: Mobile has been evolving, how long did it take you to recognize the need to get a formal mobile security policy in place to address the introduction of smartphones and tablets into the workplace?
Reynolds: I think we were a little late to the game because we err on the side of being productive rather than being secure, and I think a lot of companies are in there too. Some of the things that pushed it to the forefront was the users asking, “Hey, now I have this device; do we have a policy?” I liked that the users were ahead of the curve asking that question. If they are going to ask me for a policy, I’m going to help them by understanding what the risks are and here’s what you need to do with it.
Q: It sounds like your organization had instilled a strong security-culture into the user base.
Reynolds: They certainly get an earful from me and they are aware that if there is a security question they are going to come to me. Thinking about the security aspect has been top of mind in everything they do now. When they want to evaluate a cloud solution, the first thing they think is, “How secure is it?” If they evaluate a new device, they are already thinking about security. I like it. I count that as a big win that people are already bringing security awareness into the conversation.
Effective BYOD policy podcast interview:
Do you think you need a mobile device management platform? Think again, said Darrin Reynolds, vice president of information security at Diversified Agency Services. A formal policy should come first. Reynolds explains that security essentials can be done with existing systems. Listen to the podcast interview.
Q: You have three or four elemental security policies for mobile devices. What are they?
Reynolds: The rules are you can use any device you want, but if it is going to support or receive corporate data then you have to play by our rules. Our rules are: you have to have a [personal identification number] PIN; it has to support a code lock; it has to have an auto lockout feature;it has to support encryption; and it has to support remote wipe. We kept it really simple to those four things. Everyone knows if they are going to get their own device, because my company will let me, I need to at least be thinking of those things when I go to the store.
Q: Did you need additional security technology to address those mobile device security policies?
Reynolds: Not really. It’s really a policy issue. If the device will support our policy, and by that being the technological configuration through a BES server or ActiveSync server, that’s really all the technology we need. The device should have the rest of that capable. This goes back a couple of years, so I can’t think that any new device is going to cut themselves off at the knees by eliminating security from their feature set.
Q: There are many mobile device management (MDM) vendors out there trying to sell technology. Why would you take the next step to evaluate and deploy an MDM platform? Is that for enforcement or additional security measures?
Reynolds: It can be. MDM is one of those areas where we look to savings. That’s how we got here in the first place. [Bring your own device] BYOD allows us to, from a corporate standpoint, save money on the devices we were purchasing by letting the users purchase them themselves. Then you go to MDM and you just spend the money that you would have saved with BYOD by having a standardized platform. From that standpoint, MDM is kind of a wash, so I don’t look at it to be a cost savings. I do look at it to be more of a “feel good” for that sense of control [and visibility] that we don’t have without it. That’s the right place for MDM: to give me more capabilities in how I manage that environment and not really look to be a cost savings. … If you can, limit that exposure of corporate data into a vault or sandbox, so when a user loses their device, they know we’re going to send a wipe, but it’s not going to hit their personal data; that’s a feel-good for them. If it is stolen, it’s nice to be able to know that the information was protected during the exposure between the loss, and the wipe is there to back us up.
Q: When an employee device is lost, employees typically call their carrier to terminate service. Is that the correct response?
Reynolds: They should not do that. We have informed them to absolutely contact the help desk first. That is your first line of defense. We want to be able to issue that wipe command and then terminate the service. If they terminate service first, we can’t issue the wipe, and we’ve seen that in a couple of cases. I think users go that route because their concern is not corporate data, its whether they are going to get charges. That’s really the wrong focus. We want users to know that the data is more important. We can take care of phone charges and fraudulent calls after the fact. We’ve got to have that service on so we can issue the wipe.
Q: Do you have any other advice in terms of communicating mobile security and BYOD security policies?
Reynolds: It needs to be ongoing and iterative. You can’t just rely on a single message to get your point across. You’ve got to deliver that message in a number of different ways. You can use email, voicemail and put a poster up in the boardroom. Have a tent event out in the parking lot. You’ve got to mix it up and you have to have all kinds of different mechanisms to use for delivering this content. That’s what helps people remember your message. It needs to be ongoing, and you need to get it out there in a number of different ways.