Read NBlog, the NoticeBored blog
Click the banner for the site map of NoticeBored.com, the information security awareness service
NoticeBored this month

   

Security awareness for Bring Your Own Device

Introduction and scope of the topic

See all the new poster designs“Bring Your Own Device” (BYOD) - corporations allowing employees to use their personally-owned ICT gadgets for work - is a hot topic.  We first noticed BYOD appearing in the computer press about a year ago.  Now it seems to be on everybody’s watch list for 2012, the benefits for both employers and employees making this a trend that’s hard to ignore. 

Under a BYOD scheme, employees get to play with their familiar high-tech gizmos such as smartphones and tablet PCs, while the corporation tries to keep a lid on the associated information security issues.  BYOD involves a delicate balancing act for management, on the one hand encouraging employee’s creativity without on the other hand, impacting productivity and security.    Security awareness is an essential safety net.

Being a relatively immature area, during the course of researching on BYOD we have read a lot of glib statements in the security press, a fair number of scare -stories and lots of marketing drivel from vendors desperate to steer the PR bandwagon in their general direction.  Several journalists recommend “a BYOD policy”, for instance, but actually finding BYOD policy examples on the Web proved virtually impossible. 

The NoticeBored security awareness materials start by recommending that management sets up a BYOD Council to govern BYOD, and gives direction through strategic decisions and policies concerning BYOD.  Management’s appreciation of BYOD risks is therefore a prerequisite.  The awareness module then picks up on a number of information security issues that we have covered before - areas such as securing portable devices, network security, authentication and malware - and discusses them in relation to BYOD. 

Learning objectives

We have designed and prepared this month’s BYOD security awareness module with the following learning objectives in mind:

  • Bring managers quickly up to speed on the benefits and risks arising from BYOD, emphasizing the need for governance, strategy and policy;
  • Inform general staff and IT employees about BYOD, setting the context and expanding on the risks and controls;
  • Motivate employees to sign up for BYOD, formally accepting the policies and hence agreeing to the key controls.

Your learning objectives may be different so please think about what you want to achieve by promoting BYOD security and feel free to adapt or elaborate on the NoticeBored materials.

Awareness materials provided

As always, we supply a stack of awareness materials to our subscribers, probably rather more than any one organization would plan to use unless its awareness program is already mature:

NB BYOD module 106 contents

February’s security awareness module is supplied to NoticeBored subscribers as a ZIP archive containing the following unlocked and fully-editable files:

File listing

Making the most of your NoticeBored subscription

We are keen for customers to fulfill the learning objectives outlined above and extract every ounce of value from their NoticeBored subscription, hence the ‘train the trainer’ guide in every module suggests ways of using the latest batch of awareness materials to best effect.  It proposes some related awareness activities and references additional resources. 

The distribution mechanisms and activities you chose depend on your organizational circumstances and needs.  Here are our main suggestions for the BYOD security awareness module (there are more in the ‘train the trainer’ guide provided):

  • Take up the idea of a BYOD Council with management as a way of focusing their attention and getting traction on the associated governance issues.
  • Schedule meetings with relevant managers to discuss matters raised in and arising from the elevator pitch, management and executive briefings, strategy paper, Board agenda etc.  Work closely with the CIO, IT Director or IT Manager this month since BYOD is on his/her home turf.
  • Compare and contrast the three NoticeBored sample security policies with yours (if you have them already).  Adapt them as necessary, get them authorized and publish them in the normal way (preferably in the Security Zone).
  • Print and distribute the newsletter, staff, management and/or technical briefings, FAQ, take home messages and top tips, the glossary, bookmarks and possibly one or more of the mind maps on paper as desk-drops, awareness leaflets etc.
  • Email selected BYOD awareness materials to receptive colleagues as tasters for the materials available from you or on the Security Zone
  • Cut-and-paste interesting sections, news stories or quotes from the NoticeBored materials into your internal staff newsletters, company magazines, management reports or other internal employee communications, training courses etc.  Feel free to use the poster images and other embedded images if appropriate.
  • Supplement the NoticeBored awareness materials with other stuff on BYOD that you have written or obtained independently.
  • Pin up the posters in your ‘security corners’ in place of any old ones.
  • Print the stickers onto borderless A4 sheets of 16 stickers (e.g. Avery L7162), or adapt the format to suit your blanks.
  • Present the PowerPoint presentations at facilitated seminars, team meetings etc.  If possible, introduce guest speakers (such as IT Help Desk, HR or internal communications people) to talk about BYOD.  Seminar leaders should be familiar with the content of the slides and the speaker notes, and may benefit from the more detailed NoticeBored briefings, mind-maps etc.  Prepare handouts such as the seminar speaker notes, briefings, mind maps, acceptable use policy etc.
  • Set up a manned conference-style presentation stand on BYOD in a suitable location (e.g. the staff restaurant).  Put up the posters and have the policies and other briefing materials available to hand out.  Make the experience fun, for instance using giveaways, surveys, quizzes and other competitions to engage with your audience. 
  • Work through the case studies, discussing the BYOD security issues raised.  By all means adapt the scenarios with something closer to home.
  • If permitted under your security policies, install the screensavers on corporate PCs, or use them as projector displays in the reception area or staff restaurant if you like.
  • Decide what prizes to award, if any, then circulate the security crossword and security test to employees.  Publish details of the previous winners along with the solutions to last month’s crossword and test, and send them their prizes.  [There’s a menu of possible prizes in the Information Security 101 module.]
  • Run the awareness quiz as a lunchtime or after work session, in a local café or bar if appropriate.
  • Publish the awareness survey on your intranet Security Zone or circulate it by email, on paper or even better in person to gather awareness metrics and feedback from your audiences.  Solicit and record relevant comments and suggestions from respondents for use in other awareness activities, management reports etc.
  • The job description is a template from which you may develop own job description and/or vacancy notice for a BYOD Analyst.  If you don’t presently have someone in this role, it may be worth discussing with management.
  • Use the internal controls checklist to review the security controls in your organization relating to BYOD.  Internal Audit will probably be interested in the results and may help out.
  • In conjunction with HR/Training, select any suitable items from this module to incorporate into your new employee security induction or orientation pack, taking the opportunity to review and update the pack and supplement those from the Information Security 101 module.  Similarly, decide whether any of the materials would be useful in other technical or business training courses, including Computer Based Training on BYOD, mobile/portable IT, home working, network security etc.

NoticeBored is for you, yes you!

If this brief outline of our latest awareness module intrigues you, why not contact us to evaluate NoticeBored?  We’ll send you a complete module (as it was delivered to our customers), plus an evaluation license for you to try it out.  There’s no commitment and no charge to evaluate the product.  Find out what makes NoticeBored different and discover what led ENISA to describe us as “best practice experts” in security awareness. 

We can even help you build your budget proposal to invest in security awareness.  When finances are tight, remember that awareness is the most cost-effective form of security .  A dollar spent on improving security awareness achieves much more than a dollar spent on implementing security technologies.  Alert, security-aware employees who appreciate the symptoms of security attacks or incidents and know how to respond are far less likely to succumb, while security-savvy IT pros are more likely to make use of the expensive security technologies you already have.  Making managers conscious of the information security risks facing the organization, along with their options for treating them, is step 1 on the road to information security glory. 

Make information security everyone’s business with NoticeBored.
Home > This month >

Copyright © 2012  IsecT Ltd.