The second most important BYOD security defense: user awareness

The second most important BYOD security defense: user awareness

Summary: Outside of the IT department, most users think that viruses are the only threat to their computing equipment. Many believe that malware doesn't affect mobile devices at all. An educated user is a safer user.


Second only to basic security defenses such as firewalls and complex passwords, user awareness is the most important security measure that your company can implement. It might sound trivial at first to say that user awareness is important to security but it might be the most important non-hardware, non-software solution available. An informed user is a user who behaves more responsibly and takes fewer risks with valuable company data, including email. Not only does user education make the user aware of all the potential dangers of mobile computing, it also places a lot of the responsibility for corporate security onto the user. And that's a good thing.

Management can hang up all the inspirational posters and send out all of the "Five points to remember for safer computing" emails that they want and still have minimal impact on end user behavior. But a formal security course that requires participation and full attention is far more valuable to the company and to the user.

And I don't mean a course that is web-based or self-paced in any way. The course needs to be instructor led and participation required of each user. Yes, I know it's more expensive but how valuable is your data, your intellectual property and your time? I think that you'll find that it's money well spent.

If you don't believe that education works, ask a few questions of your users, such as:

  • Do you understand security risks of using public Wi-Fi Hotspots?
  • Do you know what malware is?
  • Do you understand why it's important to not store company data on your personal cell phone or tablet?
  • Could someone access your data if your computer/cell phone/tablet were stolen right now?
  • Do you know why it's important to keep your computer or device updated with the latest patches?

You'd actually be surprised to know how many IT professionals don't know the correct answers. Training programs don't have to be expensive or extreme. In the simplest of cases, they can consist of a PowerPoint presentation with a list of scenarios, some statistics and Dos and Don'ts that matter to security.

At the end, I suggest using an exam to assess the effectiveness of the course. I also suggest a follow-up discussion to cover any confusing or unclear points. A refresher course every six months would also be a very good idea and it could be as minimal as a two-hour refresher, covering the high points and answering any questions that might have arisen during the discussion.

Users have to understand the risks of jailbreaking devices. They need to have training to avoid social engineering strategies and spear phishing schemes. Role playing or actual "pop" tests are a good method of testing your employee's stake in security. These pop tests could be as simple as an employee calling up the main desk and trying to convince someone in the company to give up a user account and password.

Another possibility is to hire someone who poses as a security consultant and see how far into the company he can get before someone stops him. Security consultants are very good at using these techniques to gain access to accounts, server rooms and documents.

My suggestions to begin a security awareness training session in your company are as follows:

  • Hire a good security consultant to advise you through the process or to perform the training.
  • Conduct instructor-led training classes twice per year.
  • Conduct security refresher courses regularly.
  • Perform "pop" tests to evaluate training.

Awareness is important to your overall security defense. Don't discount it. All the firewalls, antivirus software and electric fences won't keep the bad guys out if Bob in Accounting hands over his user account and password to a stranger.

Here are some links to information to get you started with your own security awareness training programs:

Security Basics for Computer Users

The New User's Guide: How to raise information security awareness

Information Systems Security Awareness

How does your company handle security awareness? Do you have a program? Has BYOD heightened your level of security training? Talk back and let me know.

See Also:

Mozilla's Firefox OS: Four big mobile questions

Hackers turn China security report into Trojans

Great Debate: Mobile security: What's the best defense?

Scams suck NZ$4 million from Kiwis

Topics: Bring Your Own Device, Mobility, Security


Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Simple, but true

    Good article Ken... security is often taken for granted (I am definitely guilty of this!), yet the risk is enormous. You are right that the human interaction component is far more persuasive that online or remote training. Direct education will go a long way to improving security.
  • And Set An Example From The Highest Levels

    If the troops see the bosses flouting the official policies just because they're too inconvenient, what incentive do they have to obey?
  • BYOD from a monitoring point of view

    But what do we, as a network monitoring provider, have to do with BYOD and consumerism? One might think, "Nothing, actually. That doesn't concern us. Why should anyone monitor devices that are not always in the network and are not critical to the company? If an employee would tuck the central server or backbone switch under his arm at the end of the day and take it home, that would be a different story. We've never heard of this happening before, so this topic is currently a non-issue for us."

    But it isn't that simple.
  • BYOD and patients

    Text messaging in healthcare is going to be a big challenge, but many are willing to deal with it because of the potential productivity gains. Our hospital put a BYOD policy in place to use Tigertext for HIPAA complient text messaging, mostly to deal with the reality that the doctors were sending patient data over regular SMS which is not HIPAA compliant. The reality was that the doctors were doing this because it was more efficient for them. Now we have the doctor using HIPAA compliant tigertext and the patient processing productivity doubled in the last quarter - a significent business advantage. Yes, BYOD is a big security issue, and yes their are real productivity gain to be had, but IT is going to have to be creative to get them and maintain security.