Security training is a bit like investing in cryptocurrencies. Everyone is talking about it, but far fewer are actually doing it — and of those that have dived in, most aren’t thoroughly prepared.
The problem is that we all know we need mobile security training for employees, but we lack new approaches to improve it. Here are four to try out in 2018.
1. Think like an attacker. Are you already training your employees to recognize phishing via email? That’s a good start, but have you fully accounted for the new threats brought by mobile? Phishing via SMS (“Smishing”) and Voice Mail (“Vishing”) are mobile-specific threats that existing training campaigns might miss — but they’re high priorities for current attackers. Extend your current training program to include these alternative types of phishing to raise awareness.
Attackers are also prioritizing users on mobile devices because of their small screens and on-the-go nature. Mobile end users have less time to think about a message they’re seeing, and some of the visual giveaways for phishing are easily missed on a small screen. Refocus your education on today’s avenue of greatest risk: the mobile device and its user.
2. Target your training. Unfocused mobile security training for every employee tends to result in a lot of resource expenditure and little impact. Instead, focus on the employees who have been proven to engage in risky behaviors. Search the logs from mobile device management systems, anti-malware tools, email security gateways and web proxies to find who is being blocked by access and protecting rules or is encountering malware. You’ll be surprised — almost everyone is — at how much naughty behavior policy control tools are blocking and how many bits of malware are being defanged. (If no one is getting viruses and no one is breaking policy, there’s something wrong with your tools or your logs. Investigate that immediately.)
Some of those people are unintentionally triggering alarms — which is another issue that should be investigated on its own. But others are pushing the edges of corporate policy and are more likely to be the source of a security breach in the future. Schedule some one-on-one discussions with repeat offenders to help them understand the risks they are taking and the potential costs to the organization if they don’t modify their habits.
3. Play “Show and Tell” with security features. When a consumer looks to purchase a new product, one with several (or dozens, if not hundreds) of features — think car shopping, or even house-buying — it’s the positive, differentiating features that help the end user become more intimately involved with the object. The same goes for getting employees to “buy in” to the mobile security products being deployed by your company.
Having IT administrators blanket user devices with new security protocols and solutions without showing functionality will create an inherent distrust between management and employee. Walking through the security process of how the solution optimizes controls while still allowing for maximum productivity — especially a sophisticated, one-stop-shop management tool like Samsung Knox that protects from the chip up — will allay anxiety and distrust between the brand and its employees. Putting the power of the product in the hands of its users will ultimately create a collaborative feel across the business.
4. Keep it constant, and consistent. Sometimes it’s difficult for the IT team to convey details of exactly what’s going on when enhancing security features on any device, or the network as a whole. Oftentimes employees receive a vague email stating there’ll be network or device patches, or even upgrades, without explaining what’s actually going on.
Mobile security administrators need to hold trainings (see Tip #2) and keep communication open, often, for the sake of user knowledge. When a patch is deployed, or a pivot in security service needs to take place (upgrading solutions or moving over to Samsung Knox for full mobile ecosystem security), walking users through the process and what it means to their device — especially in a BYOD environment — will reduce user error and break down the silos that exist between IT and other lines of business.
A “here’s how this works, this is why we need to do it, and why it will enhance your capabilities” presentation or training session will help employees become more knowledgeable, not only about how their mobile security features work, but also why it’s necessary and what it means to the business.
Mobile security training is on everyone’s list. Make an honest effort in 2018 to avoid a security breach.
Take our mobile security assessment to see if your company is covered against attackers — and get some tips to stay ahead of the curve.