Educating employees on how to protect data on their smartphones and tablets is crucial to bring-your-own-device (BYOD) security, according to a panel of security experts.
At the Cisco BYOD panel discussion today, Cisco’s chief security officer, John Stewart, said that majority of staff try to safeguard their devices but are not equipped with the knowledge to secure them effectively.
“Most employees are trying to do the right thing, never forget this,” he said.
“They’ll make mistakes, but they’re not trying to deliberately hurt the company, they’re not trying to deliberately lose information, they’re not trying deliberately to lose a thumb drive.
“On the other hand, they are also very rarely fully knowledgeable on what it is you have to do to protect stuff.”
Telstra’s chief information security officer, Glenn Chisholm, agrees. He also placed the onus on organisations to provide staff with sufficient BYOD security information on how to protect data on their devices or risk a security breach.
“You need to enable your people to do the right thing,” he said. “If you can’t control your current fleet, BYOD won’t solve your problems.”
Chisholm added that an organisation’s IT department should be responsible for educating employees about BYOD security and “empowering” them by providing appropriate security tools to protect themselves.
“There is a misunderstanding about what an IT department does,” he said.
“The IT department is there to enable business. If the IT department can’t communicate to staff to understand business, then you haven’t structured the department correctly [and] you don’t have the right people in the department.
“This is empowering people to understand what they need to do to make themselves safe… But do you actually make the security tools available to these people so that they know they have the ability to secure their devices?”
However, Craig Valli, Edith Cowan University’s head of computer and security science, said that the IT department are the “worst people” to teach employees about BYOD security because they have one particular world view and fail to look at technology from a business perspective and how it is a “business enabler”.
In addition to education, Scott Cass-Dunbar, a director with KPMG’s IT advisory practice, said that having a flexible, simple and well-designed security policy is also important in helping people understand security implications and may deter employees from trying to bypass strict security rules.
Follow Diana Nguyen on Twitter: @diananguyen9
Follow Computerworld Australia on Twitter: @ComputerworldAU