Our March 2 blog post discussed 6 Ways to Effectively Update Your Mobile Policy. Implementing an updated mobile policy is a critical step, but employees also need to know why a mobile policy is necessary. If employees don’t fully understand and embrace the reasons behind the policy, the initiative will ultimately fail to protect corporate intellectual property, secure customer information and reduce corporate liability.
Training and a communication plan are essential to the success of your mobile policy rollout. The new employee on-boarding process is a great way to introduce your organization’s standards. Ongoing communications to all employees should include detailed information about the mobile policy. The goal of your messaging should be to explain the mobile policy as simply, and as clearly as possible, but also convey the potential dangers or repercussions of ignoring it.
We recommend top executives get involved and sign communications regarding mobile device security in particular. Employees must see that top executives consider security a priority. Companywide messages sent in a periodic rotation from the CEO, CFO and CIO focusing solely on security have proven to be very successful not only during an initial or “update” roll out, but on an ongoing basis.
The dangers of not having an updated policy as sited in our earlier blog began with a viral news story featuring a major security breach which disclosed confidential customer information, intellectual property, and embarrassing information about the inner workings of your organization. With the recent WikiLeaks posts of the CIA’s capabilities, this seems like a threat to all firms. Exposure is not a foregone conclusion; however, as there are many opportunities enterprises can leverage to educate and communicate in order to minimize risk.
With Apple devices, generally the preferred devices for most enterprises, the WikiLeaks documents refer to exploits for devices that rely on iOS version 8.2. Only 5 percent (of Apple devices) rely on a version older than iOS 9, and 79 percent of Apple devices use the current iOS 10 version of the system. Google also has security updates, but only 2.8% of Android devices have the latest software with security patches released in August 2016. The takeaway is employees who use “approved” devices are more secure compared to workers that use unsanctioned devices.
Given the advantages of using approved devices, it’s not completely surprising the most effective mobile policy is one that is paired with mobile provisioning technology. Mobile policy can be enforced with workflow-based approval processes. For example, a portal can limit the catalog to pre-approved secure devices. The approval process for corporate and BYOD devices can feature drop-downs that only offer pre-authorized devices and service plans.
A good mobile policy communications tactic is to take information from the news to remind employees of policy provisions. These types of “reminders” can be posted on corporate intranets and sent periodically to employees.
Keep the communications focused on explaining the risks from unsecured apps and/or public Wifi (where hackers are able to access confidential data on devices) and ways to easily avoid those risks. Stress the importance of how to access the corporate network safely and utilization of passwords for Wi-Fi networks. Not everyone will have the same technical background or capabilities, so take into account the needs of your workers and offer a range of training options.
Communications should also define what constitutes risky and unacceptable behavior, such as, using smartphones to capture photographs of production facilities or white boards that have sensitive data. Be sure to communicate the need to use voice-activated calling, hands-free devices and pre-programmed numbers when driving or operating other vehicles. Finally, use pictures that highlight increasingly common dangers from pedestrian injuries while texting, phoning, and emailing colleagues. Leveraging humor, as appropriate, may also help the message resonate with your employees.
Without a carefully planned and executed communication strategy and rollout for training and educating employees on mobile policy, organizations expose themselves to compromised resources, compliance violations, costly liability suits and the potential for irrevocable damage to their reputations. Many employees have no idea that their behavior is risky. Make sure workers have a clear understanding of what’s expected.