Despite abundant evidence that attacks on mobile devices continue to increase, many companies still don’t have a mobile security strategy that combines end-user training with strong mobile content management software.
This is concerning, but not all that surprising when you consider that many companies still don’t have any kind of overall IT security training strategy. The statistics are sobering and constitute a call to action for companies to do a better job protecting employee mobile devices and the data that resides on them.
Similarly, the PwC/CIO/CSO 2018 Global State of Information Security Survey found that 44% percent of companies do not have an overall information security strategy, and 48% percent say they do not have an employee security awareness training program, even though mobile device exploitation was reported as the primary cause of the security incidents.
Here are four steps companies can take to develop an effective security training program designed to protect mobile devices:
- Create engaging and relevant programs. Too often, training programs suffer from a lack of engaging and relevant content. Companies need to create security training content that is entertaining and relevant to the specific requirements and use cases of the mobile employee.
- Provide positive reinforcement. Telling people what not to do is not always the most effective approach. A successful program needs to provide positive reinforcement as well. One interesting approach is to deploy gamification programs that provide tangible rewards.
- Don’t let the C-suite off the hook. Training needs to include everyone at the company, including executives at the highest levels. After all, executives typically have the most valuable data on their phones.
- Measure results regularly. Security training is not a one-and-done exercise. Just as hackers are fine-tuning their attack methods, security training needs to adapt to meet the latest threats and its effectiveness needs to be measured. There’s no point in training people, if the information isn’t put into practice.
Back up training with strong software
While security training is important, it’s only half the battle.
“Awareness training is great, but you still need the technology and tools to go with it,” says Bindu Sundaresan, practice lead with AT&T Security Consulting.
All the training in the world won’t matter if the mobile device is lost or stolen. And that happens frequently. According to MobileIron, the percentage of companies with at least one missing device rose from 40% to 44% worldwide last year. To reduce the risk of compromise for lost or stolen devices, companies should deploy the latest enterprise mobility management (EMM) solution and ensure that it includes mobile content management (MCM) capabilities, a segment of EMM that has been growing and is expected to grow further through 2020. MCM focuses on protecting data, through the use of encryption and containerization, so that if the phone is lost or stolen, the data is protected.
Of course, an effective mobile device security strategy starts at the top. CSOs must pull their mobile teams into a larger security training effort that is continually updated to reflect the changing nature of today’s threat landscape.