The training module presents statistics about devices lost in airports and follows up with steps people can take to avoid misplacing their gadgets. Then the fun begins. Users assume the role of a Mario-type character in an online game, and they have 90 seconds to find 12 lost or stolen mobile devices in an airport based on the information they just learned. The user-controlled character runs through the airport — complete with check-in counters, a food court, a security conveyor belt and trams between terminals — and there’s a rewarding “ding” for every device the user finds. “Nobody ever gets them all the first time, and they want to play it again,” Lohrmann says.
The state of Michigan is rolling out that training module now, and Lohrmann expects that employees will be as impressed as he was.
“It’s ‘sticky.’ For me, I can’t go to the airport without thinking about that game,” he says. The training module “is doing something that’s going to change people’s behaviors.”
4. The tech genius
Tech-savvy end users can be a security nightmare — especially if they know how to reconfigure their smartphones to give themselves administrator-level privileges.
Solution: Outsmart the smarties
Malware can do a lot of damage on devices that have been altered at an administrative level. And Gartner predicts that by 2017, 75% of mobile security breaches will be the result of misconfigured applications.
Karl Storz takes this threat seriously. “We are an engineering company, and people are tech-savvy here,” O’Brien says. Since smartphones are issued by the company, “I haven’t seen [users reconfiguring their phones], but they could. The information’s out there, and IT can’t contain it.”
The most common platform compromises are “jailbreaking” on iOS devices or “rooting” on Android devices, according to Gartner.
These actions escalate the user’s privileges on the device, essentially turning a user into an administrator. They allow users to access certain device resources that are normally inaccessible, and they put data in danger by removing app-specific protections and the safe “sandbox” provided by the operating system. They can also allow malware to be downloaded to the device and open it up to all sorts of malicious actions, including extraction of enterprise data. These compromised mobile devices are also vulnerable to brute-force attacks on passcodes, according to Gartner. The best defense is to keep mobile devices locked down with mobile device management tools and policies, Gartner says. Security can be enhanced further with app shielding and “containers” that protect important data.
IT security leaders also need to use network access controls to block connections back to enterprise systems for devices that exhibit potentially suspicious activity. Raytheon keeps potentially rogue employees in check by making them acknowledge that they are aware of corporate use and behavior policies. “If they go off and do things on their own . . . they understand that they are violating company policy, and it puts them in an unenviable situation,” Aliber says.
Such policies are part of wider data security strategies that also include using device management software to control configurations, and storing data in the cloud instead of using mobile device storage.
5. The oversharer
Some employees share too much information on social media. Others are too willing to let friends and relatives use their devices.
Solution: Close the loophole
Chris Silvers
Thanks to the rise of social media, organizations that hire lots of young people find themselves dealing with employees who share an unprecedented amount of information publicly — and the implications of this trend are just beginning to emerge. With a social-media-savvy generation entering the workforce, it’s going to be interesting to see how companies handle their sensitive data, says Chris Silvers, principal at C G Silvers Consulting, an Atlanta-based IT security consultancy. “There’s so much information already out there — you just can’t go get it back,” he says.
Employees who share too freely on social media sites become easy targets for scammers who pretend to be co-workers or other acquaintances and try to persuade them to share credentials, passwords or company information.
“Anytime people tie social media to events or work email addresses, it’s a threat” to company data, says Chris Hadnagy, chief human hacker at Social-Engineer Inc., a training and consulting firm. “We find people who use their corporate email addresses for LinkedIn and Facebook. [Scammers] can search these online and then go to posts, blogs, forums where they’ve posted — to find personal things. Those are all vectors” for social engineering scams.
Again, education is key. “Employees need good education to realize that if you have personal stuff out there, then don’t trust everything that comes in” on social media sites or emails, Hadnagy says.
He also suggests setting policies for social media use at work. If it’s allowed, then employees should create work accounts and personal accounts. “Can you still find them on LinkedIn? Sure, but at least that’s one degree of separation,” he says.
Oversharing can also come in more innocent varieties. Lohrmann points to parents who entertain their kids by letting them play games and watch videos on company-owned smartphones or tablets — leaving the devices susceptible to damage or, worse, unauthorized access by hackers lurking on questionable websites. To avoid such scenarios, employers should have written security policies that prohibit use of company-owned devices by friends and relatives.
At the end of the day, IT security leaders say it’s all about balancing flexibility and productivity. “We do allow some flexibility in terms of what we allow people to do” on their mobile phones, says Aliber, noting that some downloading of apps is OK. “But when it comes to protecting company data, there is no flexibility. It’s a managed environment. We’re balancing the need for productivity and the need to help grow the business.”
This story, "5 steps to more mobile-security-savvy employees" was originally published by Computerworld.