Improve mobile device management through building a security culture

By Jonathan Crowl

An educator spreads the word among colleagues regarding the importance of mobile device management and security culture.

Bigstock

Business technology continues to proliferate and grow more complex, with enterprise security threats evolving to new levels of sophistication. The most pressing security challenges companies face have nothing to do with mobile device management — rather, it’s the role employees should play in keeping enterprise networks safe.

Enterprises can invest millions in security solutions, but it’s impossible to replicate the value of an employee doing his or her part to avoid vulnerabilities. A study from CompTIA finds that more than half of all data security breaches are caused by human error, with 42 percent of breaches caused by a failure to follow established policies and procedures.

Another 42 percent of breaches were caused by employee carelessness, and 31 percent of breaches were caused, at least in part, by a lack of employee education about new threats facing their cybersecurity efforts.

Effective security starts by getting employees to buy in to an organizational culture, but this is easier said than done for many companies. Here are some steps you can take to build a better security culture that will motivate employees to avoid errors and oversights that can result in a breach.

Frame security as a team goal, not an individual threat

Instead of telling employees that they may lose their jobs if they fail to support security, introduce a cultural shift toward security awareness as an organizational goal, similar to how businesses have used the “X days since an accident” campaign. Employees are more likely to embrace these changes when they are framed as a company-wide movement, rather than an executive attack on individual workers.

To that end, it may be beneficial to offer rewards as an incentive for compliance. These could be given out for completing security training programs, or for going a certain period of time without being flagged for behaviors that could potentially lead to a data breach.

Provide ongoing, consistent training on mobile device management and security

Employees may cringe, but trainings are a necessary educational tool in the quest to improve enterprise security. These trainings can include large sit-down sessions led by IT, or can be as simple as email updates to alert staff to new threats and discuss how to avoid them.

According to CNET, organizations can make these security sessions easier on employees by keeping the messaging and training short and sweet. Long emails or day-long training sessions are going to offer diminishing returns, and some employees may tune out entirely. Consider using infographics, videos and other visual content to increase engagement with this essential information.

Run periodic phishing tests

Some employees struggle to identify the difference between legitimate email content and phishing scams. IT can help employees develop these skills by running occasional phishing simulations: The company can send out its own replica phishing email and track how many employees click.

Once the scam has run its course, IT can send out a second email updating employees as to the results and providing guidance on how they might have identified potential threats and taken action to alert the company while avoiding clicking on phishing email links. Practice makes perfect, and this can reduce company exposure if and when a real phishing scam strikes.

Teach from real-world examples

You don’t have to limit your training to examples of attacks that directly threaten your company. When a big security breach is in the news, use that case as a teaching example to educate employees. For example, a prominent breach of a major company could be used to show the importance of installing patch updates to address vulnerabilities.

Using real-life examples to address security issues helps put a face to the issue, and it keeps employees informed about the security threats targeted at modern enterprises. It’s a simple way for IT to help the organization learn from another company’s mistakes, potentially saving the organization from a similar breach in the future.

Let employees know how they’re doing

If you’ve recently launched an initiative to build a security culture and improve employee training, don’t leave workers in the dark about their progress. Provide monthly or quarterly updates to share the results of the initiative and its efforts.

If your company has historically seen a high frequency of employees clicking on phishing emails, send out periodic updates that share the data on how your training and awareness efforts have been reducing this figure. Allow employees to share in your success and revel in the progress that has been made. Security is a collective effort, and seeing their efforts bear fruit can encourage employees to embrace their role in mobile security even further.

Building a culture of security takes time, but it will pay off in a big way if employees finally buy in to their role as active defenders of your enterprise network. This improved awareness, combined with the mobile device management security already installed at your company, will provide the organization with a powerful, multilayered defense against potential attacks and breaches.