Dealing with the Careless Mobile Worker

Mobile workers have been in our midst for years. In the past, working from home involved a personal computer that was located in one room with a modem or ISDN connection at best. The changes to the model are incredible. Mobile workers now work in an office without walls. Mobile workers can be around the world, relaxing on a beach, submitting work from a coffee shop, accessing organizational infrastructure from the ski slopes or downloading sensitive documents from 38,000 feet in the sky. The opportunities for mistakes that lead to data loss have grown exponentially.

The office without walls, coupled with the vast consumerization of devices that can now access the organizational infrastructure without actually being issued by the company, has become a troublesome recipe for carelessness and data exposure. Tablets and smartphones were not designed with security in mind, but rather to please the user. Its now more important than ever that companies help ensure their mobile workforce is as secure as possible, no matter what device they choose.

The key to the implementation of any security and privacy program rests with education. Companies must educate their mobile workers on the security controls required for all devices. Training programs that help show them how to maintain the privacy of their information and that of the organization need to be setup
and regularly updated. Additionally, employees need to be periodically reminded of the controls, threats and vulnerabilities of their devices and the potential risks all mobile workers face while working remotely. If employees are properly educated, the need for additional and more costly security may potentially be avoided.

Tailor the Message

As a rule of thumb, training and awareness messages that are targeted to a specific audience’s needs will be easier to implement and more effective. However, wider and more general events reach more people with a “big picture” awareness message, and can set the stage for later, more targeted security and privacy education.

Methodologies for enhancing communications include the following:

• Evaluate the most effective way to influence the target audience based upon age group learning methods; then tailor the style, content and messages to reach them.
• Incorporate real-life mobile worker situations learned from past experience and incidents to demonstrate positive actions taken by employees that resulted in early detection and prevention.
• Deliver messages about privacy and security to employees in a manner that aligns with where they work and how they work.
• Publish training materials in as many formats as possible (e.g. workshop, books, videos, podcasts, etc.) in order to reach as many people as possible

Efforts to educate employees have a great impact on the image of the careless mobile worker. The more companies provide timely, relevant and useful information, the more employees understand and adhere to organizational security and privacy policies. Programming employees is a method of education, training and awareness repetition. It conditions them to standard methods of mobile device protections that become commonplace.

Highlight Available Physical Controls

Protections of a technical nature, such as virtual private networks, data encryption, access methods, software updates, and automatic data wiping, can be centrally distributed and managed to help mitigate mobile worker risks. However, in order for these physical controls to work, employees must also be educated on their use and common best practices for using mobile devices.

The following are examples of standards, guidelines and procedures for employees that effectively keep the costs of mobile security and privacy at a low level.

• Do not leave mobile, wireless devices or cell phones unattended, and make sure that add-on modules and accessories are adequately protected when not in use.

• Do not share mobile devices, cell phones, or calling cards.
• Be extra vigilant when storing data on mobile computing devices, such as smartphones, tablets, cell phones, laptops, and personal electronic devices. Because of their small size and portability, these devices are especially vulnerable to physical security risk and should always be kept locked up when not in use.
• Cover laptop and tablet displays with a privacy screen when working in public places to prevent nosy neighbors from viewing sensitive information.
• All laptops that store personally identifiable information (PII) must be secured using a whole-disk encryption solution to protect the sensitive information stored on them.
• If a device is lost or stolen, immediately report the loss to security and privacy points of contact.
• If the device contains PII, follow any other procedures your organization has implemented regarding the compromise of PII.
• Do not leave portable electronic equipment unattended when traveling. Monitor it closely while checking in at an airport or hotel counter and while passing through airport security checkpoints. If you must leave the equipment briefly unattended in a hotel room, secure it to a desk or table with a cable lock or keep it in a hotel provided safe if available.

Identify the Appropriate Mix of Education Solutions

The key issue to mobile security and privacy is that no single security solution will work, given the nature of the mobile environment. Extending the existing security infrastructure for mobile devices simply is not cost effective. Organizations must educate their employees using continuous messaging across every available medium. The messaging needs to be timely, relevant and useful to the employee, and delivered in such a way that is memorable and consistent.

Educating staff can become the most effective control when it comes to implementing policies across the board. It is one of the best controls for the security of consumer devices in the workplace that is cost effective for the enterprise and easy for the staff to implement.

Making Educational Messages Relevant to Employees

Making educational messages relevant to your employee’s work environment is important to getting the message heard. In order to achieve this, tone and objectives for creating relevant content materials need to be defined. To create relevant and interesting content:

• Keep messages simple and actionable
• Use examples that resonate personally with employees, focusing on known outside activities, activities related to age groups and ethnicities
• Describe stakes for the company as employee action impacts company reputation
• Deliver content through a variety of channels (audio, video, text, tweets, images, podcasts, vodcasts, webcasts, etc.)
• Refresh content regularly based upon current event topics and known incidents
• Be sensitive to cultural context
• Give Security and privacy awareness campaigns brand identity
• Stress experiential learning using real life examples while creating positive actions as the poster child for proper behavior

Tailor Education Programs to Worker Age-Groups:

The changing demographics of the workforce require a change in the methods of education. In the past, offering a single information security and privacy training over the course of the year seemed to be sufficient to educate employees. However, the security and privacy landscape has significantly changed over the years.

Matures, or people born before 1946 are retiring from the workforce. Their learning requirements are much different than Baby Boomers, people born between 1946 and 1964. Baby Boomers are apt to learn through workshops, lectures, books and materials as well as course based learning. Generation X, or people born between the years of 1965 and 1981 enjoy hands on learning, exploration, role playing and learning that is supposed to be fun. While Millennials or Generation Y, people born after 1982, learn through Web 2.0 type delivery such as blogs, videos, podcasts, and mobile devices (iPods, tablets, smartphones) in short bursts of information.

Information on the changing workforce can be used to further differentiate your target audience and will aid in determining the right tone and message type to effectively communicate to your employees.

Did you know?

• 67% of employee expose sensitive data outside the workplace, risking visual data breach.¹

¹Thomson, Herbert H, PhD. “Visual Data Breach Risk Assessment Study,” 2010. People Consulting Services.

3M is a trademark of 3M Company. ©2015, 3M. All rights reserved.