Advising end users

Advising your organization’s users on expected and acceptable uses of smartphones, tablets, laptops and desktop PCs

Once devices have been provisioned and distributed to your organization’s employees, it is important that they know what behaviors they need to adopt or actions they need to take in order to keep their devices secure.

In many cases, administrators can use technical controls such as MDM policies and security configuration to help automatically keep devices secure, but sometimes users will have to be informed of expectations and acceptable usage. These procedural controls will be needed to mitigate certain threats.

Technical controls are necessary to ensure your organization’s devices meet a minimum level of security. However, there will likely be a number of security policies that cannot be implemented by technical control methods such as Mobile device management and others which may not be possible, because they prevent your users from doing their job effectively. In these cases, you should ensure your users follow the policies and guidance that you give them.

The effectiveness of these policies depends on many things, including:

• How easy the policies are for users to follow, while still being able to do their job

• Understand how your users really work and how this should shape your security policies.

• Your ability to detect violations through logging and monitoring

• Communicating effectively with your employees, ensuring they understand the process for reporting issues and that it’s important to do so

• Review and revisit security policies and update them when necessary

• The security ‘culture’ of your organization

• Your organization’s ability to deter violations through HR policies (this should be a last resort)

Providing clear guidance to users of mobile devices should form an important part of any organization’s approach to mobile device security. Efforts should be made to enforce security policies through technical controls, where possible as this leaves users with less to worry about. However, users will always have an important role to play in maintaining the effective security of their device.

It’s important to remember that too much security can result in your employees becoming frustrated and unhappy with their work environment. You will need to find the correct balance between security and usability. User feedback is one method that can help determine if you have got this right.

User guidance (sometimes “security procedures” or “SyOps”) should be a natural extension of your technical controls, so that the two together mitigate as many risks as possible.

However, you also need to ensure that your user guidance is clear, concise, and can be easily understood and followed by your users. User guidance which is overly complex, onerous, or prevents users from doing their job will not be effective.

Similarly, if non-compliance cannot be detected, or results in no disciplinary action, then it will be equally ineffective.

Your user guidance should:

• Mitigate specific key risks to your organization. Security is there to support people in their jobs, not for its own sak

• Tell users how to report and provide feedback to help ensure that policies are still fit for purpose.

• Is pragmatic, and enables users to do their job without ‘breaking the rules’

• Is clear in what it requires from users in general when they are using their device.

• Is clear in what it requires in specific circumstances (e.g. if a device is lost or stolen)

• Cover aspects specific to the device(s) and service(s) your users have, rather than being generic

• Can be complied with and is not self-contradictory. For example remembering multiple long, complex and unique passwords is not possible for most people

• Consider the range of roles that your organization requires of users. You may require a range of different rules and procedures for different users or devices

• In some cases explain why certain requirements are included, to encourage compliance

• Incorporate the use of feedback loops to ensure that security issues do not occur regularly

You should also consider developing training packages for users to ensure that they have understood the requirements within their user guidance.

You can also use this training opportunity as a way to educate users on key threats they will face, and how to handle unexpected events. Such sessions can ensure staff are aware of common attacks such as email phishing.

Most organizations contain a diverse range of employees and job roles. Keep in mind that your user guidance should be accessible to all users of your organization’s devices.

When developing user guidance:

• Develop user guidance with specific procedural controls in mind that fill in gaps left where technical controls can’t be used, or do not offer enough flexibility.

• Ensure your policies are clear, enforceable and coherent. Test these on a sample of employees who will use devices before rolling them out more widely to see if users are able to follow your guidance. This testing should range in content to reflect the diversity and variety of jobs within your organization.

• Develop training packages for staff to help ensure they know what is expected of them.

• Help your users comply with your guidance by giving them alternatives. For example, password managers might help them comply with password policies, and a privacy screen might help them with physical security.

• Consult with your HR department on the enforce-ability of your user guidance.

• Configure audit and monitoring to try and detect violation of your policies or indication of a potential attack. Ensure users are aware that they are being monitored. Users should also be forewarned of the disciplinary action to be taken, if these procedural controls are infringed.

• Record acceptance of user guidance by end users, either digitally or with a signature to reinforce importance and enforce-ability.

Disciplinary action should always be a last resort. Instead, you should promote positive security culture, encourage reporting of issues and highlight that security is there to support employees in their jobs.

These are examples of policies which the BCSF believes could be included within your guidance. This is not a definitive list.

• The intended use of a device. What is expected from users, and what is not permitted to be done on their devices.

• What the user’s responsibilities are regarding the physical security of the device. This will include rules on when a device can and cannot unattended, and a policy on sharing devices with others.

• What’s required from users to comply with your password policy.

• Users should prevent overlooking (e.g. being aware of their surroundings, using a privacy screen)

• Policies relating to which third-party applications are allowed, and the permissions users are allowed to grant those they install. For example, only using the enterprise app catalogue, and not permitting apps to access contacts

• How to access the IT help desk, including how to authenticate yourself as a user and how to report security incidents

• What actions users are required to take (if any) to ensure their device stays up to date.

• Developing a policy relating to permitted personal use, personal web browsing, installation of application)

• Determine a policy around which Wi-Fi networks users can connect to

In BYOD deployments, you might also want to include:

• Which device(s) are acceptable to access corporate data, including which versions of operating systems and applications.

• Which policies are required to apply to the entire device (e.g. a full device passcode or VPN), in contrast to policies that might only apply to a container application. You should ensure users understand that their access may be limited if they do not follow these policies.

• Which parts of the device or OS the organization will have control, or oversight, of.