If you don’t encrypt sensitive and personally identifiable information (PII) on mobile computers, you are at very high risk of having that information breached. It seems that laptops practically scream “Take me!” to any potential swindler who happens to pass by. Yet one more in the daily news reports about mobile computer thefts provides a good example of this; “World’s Largest Telco Admits – We Didn’t Encrypt Laptop Data”
The third section from the June issue of my “IT Compliance in Realtime Journal” discusses why all organizations that use mobile computing devices for business purposes must ensure their personnel know and understand how to use mobile computers in a secure manner. You cannot expect your personnel to know how to safeguard information and mobile computers if you do not provide them with training and ongoing awareness for how to do it!
Here’s an unformatted version; you can download a much nicer PDF version of it with the entire June Journal…
—————————-
Mobile Computing Security
Now let’s address the most challenging threat to mobile computing security–the human element. Give your mobile computer and storage device users a short self-assessment quiz or activity as just one of your ongoing awareness activities. Make this available online, such as on your information security and privacy intranet site, to allow each individual an easy way to take it as well as to allow you to compile the results and determine where you need to beef up your mobile computing and storage security and privacy efforts. Provide feedback to each of the answers based upon your own organization, policies, and procedures.
The following sidebar provides an example of the types of question you could ask. Use this to brainstorm your own questions that are more specific and tailored to your organization. I have provided examples of the feedback you could use, but be sure to modify it to meet your organization’s needs. It is most effective to use descriptions of actual incidents within your feedback to make it more interesting. Allow for each individual to take it anonymously to encourage him or her to provide the most honest answers.
[Sidebar start]
Which of the following methods do you use to protect confidential information on your mobile computing device and mobile storage media?
a. Encrypt the data using a strong encryption solution provided by the organization.
b. Encrypt the data using a scrambling method developed by you or someone else in-house.
c. Use a login password.
d. Use a BIOS/boot password.
e. I don’t do any of these things; I didn’t know I needed to.
f. I don’t do any of these things; they are too hard to do and slow me down.
g. I don’t know whether any of these things are done or not.
General feedback (Remember, you need to expand upon these to fit your own organization) for each of the chosen answers:
a. This is great! You are following the corporate policies. You need to also use passwords, per policy.
b. You are on the right track but using proprietary scrambling methods can be easily defeated. Use the corporate encryption solution to better secure your data and to be in compliance with corporate policies.
c. This is one very good component of overall data security for mobile devices and follows our corporate policy. Be sure you use it in conjunction with encryption.
d. This is very good. Using a BIOS, or boot, password is one of the layers of security you need to protect the information on your mobile computing device. See the corporate policy for the other ways in which you need to be protecting the data on you mobile devices.
e. Many significant incidents have occurred with mobile computing devices and storage media. It is critical that you take appropriate measures to protect the data on your devices. You should use boot and login passwords in addition to encrypting the data. See the corporate policy for details.
Yes, some security measures do seem to make it a little more difficult to use your computer or storage media. However, we have worked hard to implement technologies that are as easy and transparent to use as possible. Please contact the Information Security department if you are having trouble using encryption or setting your passwords. You can also see the “Mobile Device Encryption and Password FAQ” we have on our information security knowledge portal. Using passwords and encryption on your mobile devices is not only important for protecting our business and the data we are entrusted to protect, it is also required by our corporate information security policy, which you can also find on our information security knowledge portal.
The Information Security team can help you determine whether you are using encryption or passwords on your mobile devices. You can also see the “Mobile Device Encryption and Password FAQ” and the corporate “Mobile Computing Device and Storage Media Policy” we have on our information security knowledge portal.
[Sidebar end]
There are many more types of questions that you can use on an ongoing basis to keep information security and privacy issues in the minds of your personnel. Such short, two- to three-question self-assessments provide a non-intimidating way in which you can effectively raise the awareness of information security issues within your organization and help lessen the probability of incidents occurring from personnel mistakes or lack of knowledge.
Additionally, doing such activities will address the many regulatory and legal requirements for providing ongoing awareness. You can either make taking these self-assessments mandatory or you can motivate personnel to take them by offering prizes, such as a restaurant or bookstore gift certificates, or even lunch with the CEO, for participating.
—————————-
Thoughts? Feedback?
Tags: awareness and training, Information Security, IT compliance, laptop theft, mobile computing, mobile computing risks, policies and procedures, privacy training, risk management, security training, stolen laptop